RE: ERPNext - cost-effective ERP solution

@girish @nebulon would you look into it?

@Aizat I'm looking for someone who know MariaDB and Python3 for the project. I've successfully packaged ErpNext, but I had to patch the source code of "Payments" and "HRMS" modules that crash the database tables during installation. Instead of cash, I'm looking for few other people who would pull the repo, and see if they see the same kind of crashes.

@subven oh, wow! How did I miss that!

Trailer
You know what's disappointing? I started packaging ERPNext for the HR module. Unfortunately, the HR Module is not available after installation. Now I'm here thinking where the hell it go, and why I spent weeks packaging something that doesn't have the particular module I was looking for.

Update: Looks like version-14 of ERPNext does not have HR module. Only version-13 has it. Now packaging version 13.

@marcusquinn I could do the entire EspoCRM in Directus if I had to.

I wanted to package it because it's one of the most wanted apps, but I think it takes someone else who knows python and databases more than me.

Help Needed. Please check issue on github.

I'm inches away from either successfully running ErpNext or quitting the idea of packaging it. Never had I ever stuck with this kind of stupid errors.

When everything goes smooth, one of the modules (Payment Module in particular) make the entire table crash in the middle of loading the modules. Fix one error, then another pops up, then another.

I no longer have time nor patience to package this after this week. Here's the progress.. github.com/njsubedi/cloudron-erpnext if anyone has time, skill and patience, please go ahead and continue packaging this piece of sofware.

If anyone knows people from Frappe, please tell them to stop putting spaces and uppercase letters in table names, and at least retry any database operation instead of leaving the entire database in broken state when something fails, then have the user restart the minutes long process from the beginning.

Hours spent: 100+

Please check the issue on Github

@BrutalBirdie do you mean the Cloudron's usual tests to see if the app installs, backs up and restores correctly? If so I don't think I'll do that because you guys better know how to do that.

@BrutalBirdie It seems the problem only occurs in new installation. Since I've always been updating from previous versions, the error didn't show up. I'm fixing it now; and will update you when done.

Issue: Starting v19.0, Keycloak would require kc.sh --optimized to start Keycloak. Otherwise it would try to run kc.sh build before starting. That resulted in failure in the readonly system.

Issue 2: I had set optionalSso=true but that lead to another issue where CLOUDRON_LDAP_URL variable would be unbound when installed from CLI. I don't think this was the default behaviour when I first packaged Cloudron. Anyway, I have set optionalSso=false just in case Cloudron's default changes again.

The package should build and install correctly. PS: I'll start testing on fresh installs from next releases, so it should not repeat again.

https://github.com/njsubedi/cloudron-keycloak/releases/tag/v19.0.1-patch2

Update available v19.0.1

@infogulch said in ERPNext - cost-effective ERP solution:

frappe framework needs root access to the database

Surely this is not actually necessary to run the app, but is just part of their custom dynamic deployment system (ick). I hope it's possible to extricate the actual app from the framework...

I thought so too. Unfortunately, it keeps asking for "postgres super user password".

@girish for the initial release, I've given up on the idea of using Cloudron addons for now. Postgres is also getting over-complicated so I think I'd stick with MariaDB. Let's see how it goes. The build-run-test cycle is quite tedious when there are all kinds of new errors to resolve. ErpNext turned out to be a lot harder than I expected.

Current status: frappe installed, up and running. ErpNext won't install, and require all its dependencies (apps) to be installed. My target is to publish it by this week.

Two major issues that I ran into while testing on cloudron.

• frappe framework requires the database name and database username to be the same (its hardcoded and all over the place). When testing locally it worked but in cloudron, db name is appended with “db” and username with “user”

• frappe framework needs root access to the database, eg. password of the user named “postgres” (its hardcoded, even if —dbroot-username exists, it’s for mariadb only)

That’s why I’m running postgres server on the Docker container itself, and not use any db addons. I’ll map the db storage to /app/data so it gets backed up regularly.

See you guys with good news next time. Most apps made in Python seem to write all over the filesystem so I’m testing it on readonly environment; once done ErpNext should be available soon. Thank you for your patience.

Teaser

Update available: Outline v0.65.2

Update available 18.0.2

Update available v18.0.1

Update available for Keycloak 18.0.0. Up and running without issues for a while.

https://github.com/njsubedi/cloudron-keycloak

Update available: Outline v0.64.3

PS: Still no time to look into auth using Cloudron ProxyAuth

@girish @nebulon While installing the cloudron cli, I got this message. Is this something that we should worry about? Please confirm and fix if required. Thanks!

nj@mac% npm install cloudron 

up to date, audited 114 packages in 583ms

15 packages are looking for funding
  run `npm fund` for details

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

nj@mac% npm audit
# npm audit report

tar-fs  <1.16.2
Severity: high
Improper Input Validation in tar-fs - 

https://github.com/advisories/GHSA-x2mc-8fgj-3wmr

fix available via `npm audit fix --force`
Will install cloudron@0.9.4, which is a breaking change
node_modules/tar-fs
  cloudron  >=0.9.5
  Depends on vulnerable versions of tar-fs
  node_modules/cloudron

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

@infogulch I think that's doable. I'll see if I can get it working.

Update available: Outline v0.63.0

@nebulon Thanks for the quick fix. I can confirm it works. No ipv6 on my cloudron yet.

If you look at the logs at /app-logs/users you'll see all logins seem to have originated from the docker network.

Please fix this. Thanks!

Update available: Keycloak 7.0.1

I would love it if Cloudron supported PowerDNS as a DNS backend. I want wildcard certificate from Let’s Encrypt but it required a programmable backend.

I like to run my own DNS server- a hidden primary that isn’t published (eg. no hostname) and multiple secondary servers across different geolocations. This gives a lot of freedom, and most importantly gives me as little TTL as I want.

Unfortunately, I’ve not been able to use it for my Cloudron.

@luckow did you try logging in for the second time? As I have mentioned, first-time login still fails. Also if you could raise an issue on Github with the contents of “/run/logs/odoo.log” as soon as you log in, I can look into it.

After updating to org.jitsi.cloudronapp@0.2.0 the app won't restart because of the error.

Mar 16 12:58:38 JVB 2022-03-16 07:13:38.869 INFO: [29] HealthChecker.run#171: Performed a successful health check in PT0.000002S. Sticky failure: false
Mar 16 12:58:45 2022-03-16 07:13:45,876 WARN received SIGTERM indicating exit request
Mar 16 12:58:45 2022-03-16 07:13:45,877 INFO waiting for jicofo, nginx, prosody, videobridge to die
Mar 16 12:58:46 2022-03-16 07:13:46,879 INFO stopped: videobridge (terminated by SIGTERM)
Mar 16 12:58:47 2022-03-16 07:13:47,174 INFO stopped: prosody (exit status 0)
Mar 16 12:58:47 2022-03-16 07:13:47,178 INFO stopped: nginx (exit status 0)
Mar 16 12:58:47 Jicofo 2022-03-16 07:13:47.178 WARNING: [236] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener: Connection XMPPTCPConnection[focus@auth.meet.yarsa.org/focus] (0) closed with error
Mar 16 12:58:47 org.jivesoftware.smack.XMPPException$StreamErrorException: system-shutdown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
Mar 16 12:58:47 <stream:error><system-shutdown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text>Received SIGTERM</text></stream:error>
Mar 16 12:58:47 at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:981)
Mar 16 12:58:47 at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:913)
Mar 16 12:58:47 at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:936)
Mar 16 12:58:47 at java.base/java.lang.Thread.run(Thread.java:829)
Mar 16 12:58:47 2022-03-16 07:13:47,180 INFO stopped: jicofo (terminated by SIGTERM)
Mar 16 12:58:50 => Ensure directories
Mar 16 12:58:50 => Create configs
Mar 16 12:58:50 ==> Configuring static assets
Mar 16 12:58:50 ==> Configuring SASLauthd for LDAP
Mar 16 12:58:50 /app/code/start.sh: line 17: CLOUDRON_LDAP_URL: unbound variable
Mar 16 12:58:51 => Ensure directories
Mar 16 12:58:51 => Create configs
Mar 16 12:58:51 ==> Configuring static assets
Mar 16 12:58:51 ==> Configuring SASLauthd for LDAP
Mar 16 12:58:51 /app/code/start.sh: line 17: CLOUDRON_LDAP_URL: unbound variable
Mar 16 12:58:52 => Ensure directories
Mar 16 12:58:52 => Create configs
Mar 16 12:58:52 ==> Configuring static assets
Mar 16 12:58:52 ==> Configuring SASLauthd for LDAP
Mar 16 12:58:52 /app/code/start.sh: line 17: CLOUDRON_LDAP_URL: unbound variable
Mar 16 12:58:53 => Ensure directories
Mar 16 12:58:53 => Create configs
Mar 16 12:58:53 ==> Configuring static assets
Mar 16 12:58:53 ==> Configuring SASLauthd for LDAP
Mar 16 12:58:53 /app/code/start.sh: line 17: CLOUDRON_LDAP_URL: unbound variable

Previously I had enforced 2FA for all users. Today, I saw that the checkbox was turned off. I turned it on. Then clicked "Save". The following error is shown, without any network request.
Note: My account has 2FA enabled. I don't know why the message is shown when I have enabled 2FA in my admin account. I disabled and re-enabled 2FA to see if this error goes away, but it doesn't.

After refreshing the page, the "Require users to set up 2FA" is automatically turned off.

@girish I'd say it is ready to be released as an unstable app. I tried restarting, reinstalling, updating, etc, and everything is working fine. I'm still unsure whether to keep the IMAP settings or remove it, because recvmail is mostly deprecated.

As other members said, there will be missing out on a lot of community addons but sooner or later they will be updated to support the latest Odoo version.

@luckow I've pushed a fix for LDAP Login. I had to map cn to displayName, and use a proper LDAP filter. I was able to immediately log in after installing Odoo.

However, there are two issues:

1. You have to log in with email and password. When I tried to have it login with both username and email, Odoo was creating two different users - one with the email and another one with the username.

2. Odoo throws a Server Error on the first login for a user from LDAP. From the second time, the error is not raised for the same user. Simply reload the page to "resend" the email/password, or log in again.
I spent some time debugging, but couldn't fix it. Looks like a bug in the record cache system of Odoo. If anyone is interested, I have opened an issue.

I have packaged Odoo, and posted about it here.

https://forum.cloudron.io/topic/1256/odoo-distributed-business-apps/25?_=1647263459265

I have packaged Odoo successfully.
Please check out http://github.com/njsubedi/cloudron-odoo

I had to patch the default Database connection function to prevent Odoo from connecting to the database named “postgres” from different places.

Otherwise, everything is working as expected. Simply clone the repo, and then from inside the repo, run

cloudoron build
cloudron install -l <subdomain.yourcloudron.tld>

Please post any error logs or problems here so I can continue to improve it.

Update: somehow LDAP login is failing; need to look into it.

I recently came across this post https://dirtypipe.cm4all.com/. Looks like everyone needs to look at this. What can be done to update the Kernel version, @girish @nebulon ?

Timeline

• 2021-04-29: first support ticket about file corruption

• 2022-02-19: file corruption problem identified as Linux kernel bug, which turned out to be an exploitable vulnerability

• 2022-02-20: bug report, exploit and patch sent to the Linux kernel security team

• 2022-02-21: bug reproduced on Google Pixel 6; bug report sent to the Android Security Team

• 2022-02-21: patch sent to LKML (without vulnerability details) as suggested by Linus Torvalds, Willy Tarreau and Al Viro

• 2022-02-23: Linux stable releases with my bug fix (5.16.11, 5.15.25, 5.10.102)

• 2022-02-24: Google merges my bug fix into the Android kernel

• 2022-02-28: notified the linux-distros mailing list

• 2022-03-07: public disclosure

Currently, cloudron exposes these variables:

CLOUDRON
CLOUDRON_API_ORIGIN
CLOUDRON_APP_DOMAIN
CLOUDRON_APP_ORIGIN
CLOUDRON_PROXY_IP
CLOUDRON_WEBADMIN_ORIGIN

Many of the apps can be configured to set custom labels for things like Application Title or Website Name or, most commonly, Mail from: NAME. I'm in need of the following environment variables to be exposed. If you need more variables, please add them to this thread.

CLOUDRON_APP_LABEL

Hi @luckow ,
Could you try following this blog post? https://blog.yarsalabs.com/self-hosting-outline-wiki-on-cloudron/
The description and first-time setup still need some work, so I'll look into it again.

@girish the app itself is great. I moved our team from Bookstack to Outline because it was extremely easy to create groups and assign permissions, default permission, etc. It also supports real-time collaboration on the document so we also started using it for meeting notes. So far, no issues. Working wonderfully inside cloudron with minio and keycloak both hosted alongside.

It is also pretty simple to keep updating regularly because of the simple migration command, and storage based on minio. No need to fuss with manual migration and storage, etc.

Also, I’d like to request S3 as an addon, because it’s trivial to create a bucket for an app, and an user for it, then grant “all” permissions on that bucket to that user.

Adding this to my list of apps to package.

I have also packaged Outline: https://github.com/njsubedi/cloudron-outline, thanks to the work @klawitterb started. Still no success with passport-ldapauth but since I've also packaged Keycloak, LDAP auth is no longer a blocker for Outline. I also added some more details on the manifest/POSTINSTALL.md file if anyone is interested. It would be awesome if minio was available as an addon.

I recommend someone with more knowledge of passport-ldapauth to try adding support for authenticating cloudron users.

@ei8fdb said in Penpot - Design Freedom for Teams:

@nj said in Penpot - Design Freedom for Teams:

I will be attempting to package this app this weekend. I will post updates in this thread.

Are we there yet?

Not yet. Had to re-package Keycloak to support the latest version that broke everything. I'm into penpot rn.

@girish Please check this out. I previously packaged Keycloak but suddenly the Keycloak team decided to deprecate the Wildfly version and started supporting Quarkus runtime. So I had to re-package it again. Took a while during the weekdays.

https://github.com/njsubedi/cloudron-keycloak

@Sam_uk I still think Keycloak is more stable. If I had to choose between Authentik and Keycloak I'd pick Keycloak any day. Also, I have successfully packaged Keycloak. https://github.com/njsubedi/cloudron-keycloak

As our team is growing, people start moving out, and sometimes we need to add temporary staff, so there are 2x many users that are marked as not active. The "Users" list is quite hard to navigate. There's a pagination of 20-100 results per page, which is somewhat helpful, but still no way to only show active users.

If there was a way to only show Active users like the screenshot above, that would be much helpful.

Thank you!

authentik is an open-source Identity Provider focused on flexibility and versatility. You can use authentik in an existing environment to add support for new protocols, implement sign-up/recovery/etc. in your application so you don't have to deal with it, and many other things.

https://goauthentik.io/
https://github.com/goauthentik/authentik
https://goauthentik.io/docs/installation/docker-compose/

I will be attempting to package this app this weekend. I will post updates in this thread.

Recently I started using Cloudflare WAF service to protect my Cloudron instance. I had to proxy requests through Cloudflare for the WAF to work. After enabling Cloudflare proxy, I faced a few problems. I would like to share my setup as well as list out the problems.

My Setup

Cloudflare supports different options for SSL termination, among which Full Mode and Full (Strict) Modes are the two options. Since the origin server (Cloudron) forces all connections to be HTTPS, I used the Full(strict) mode. Also, Cloudflare does not support proxying *.mydomain.org, but only individual subdomains like app1.mydomain.org, app2.mydomain.org.

Cloudflare Dashboard

Cloudflare automatically provisions Edge Certificates for mydomain.org and *.domain.org and then does SSL termination on their end. The origin server (Cloudron) must also have a valid certificate or Cloudflare Origin CA Certificates.

Cloudron Domain Settings

I tested with both DNS Providers here - Cloudflare as well as Wildcard, with same results.

Many things are working as expected, but I noticed a few things got broken.

While installing new apps

1. When I am using the Wildcard DNS provider or Cloudron, the app installs successfully but I see a certificate error when I open the newly installed app. That's because newapp.mydomain.org is only resolving because of the wildcard *.mydomain.org entry, and it points directly to my Cloudron without proxying through Cloudflare. Since my Cloudflare is using Custom Certificates from Cloudflare Origin CA, web browsers don't trust it. I have to manually go to Cloudflare dashboard and add a new A-Record in proxy mode. Then the certificate errors resolve.

2. Even if I'm using Cloudflare DNS Provider using API Token, Cloudron adds an A-Record but the certificate error still shows up because the A-Record is still in DNS-Only mode. If Cloudron gave an option to set the A-Record in Proxy Mode while installing the app, I didn't have to go to Cloudflare and change the record from DNS Only mode to Proxied Mode and wait for DNS to propagate.

Some Apps Report Wrong IP of Visitors (Cloudflare IPs)

When a website is proxied through Cloudflare, the visitors connect to the Cloudflare servers, and one of the Cloudflare IPs connects to the origin (Cloudron) server. Cloudron does forward the X-Forwarded-For header to the apps, which works in most of the cases, but in this case X-Forwarded-For contains the Cloudflare server's IP instead of the real visitor's IP! That's a bummer. See this online post on Cloudflare IPs where it discusses the ideas to detect the visitor's real IP address. If Cloudron could check for CF-Connecting-IP header and pass that value as X-Forwarded-For, that would solve this issue entirely. Cloudflare publishes the list of IPs it uses to fetch origin content. The ipv4 addresses are here and ipv4 addresses are here.

---

That's all for now. I'll add more when I face other issues.

@klawitterb Hi, were you able to make LDAP authentication work? I tried to build and install from the repo you shared but it threw several errors. Could you share a bit more about how you made Outline work with Cloudron user directory?

Thank you for confirming. I tried some other features in the Professional plans, and they didn't work, so there's no way ldap would work.

@girish That worked. By the way, is there a plan to package Keycloak? I managed to run Keycloak and Outline on Cloudron. Keycloak needed some patching to make it work on the read-only system without mounting everything to /app/data. Outline wiki app can be easily set up to authenticate using Keycloak. Both apps seem to be working as they should. Do you think we can publish those apps to the Cloudron App Store? That would be my first experience publishing an app.

Currently, I am packaging the Outline app to directly authenticate with the Cloudron user directory without the need to install Keycloak. If anyone is interested, I published a little more details in my blog. I'm doing another write-up describing the issues I solved while packaging Keylcloak.

Mattermost self-hosted supports LDAP authentication. Is there a reason it was not added during the app packaging? https://docs.mattermost.com/configure/configuration-settings.html#ad-ldap

Is there a possibility to publish a quick update of the app by simply adding LDAP addon to the manifest?

@girish

When you say "Cloudron LDAP" you mean the apps installed on Cloudron, right?

Yes. I recently built and run Keycloak as an app on my Cloudron instance.

we can expose the active flag via LDAP.

That's exactly what I want. If you could expose the active flag via LDAP, I could use a filter like (&(objectClass=user)(isActive=true)) to only fetch active users.

I'm not a native English speaker, so excuse the confusion that I caused.

@girish I always thought marking the users as inactive would mean they can't log in to the services that use Cloudron LDAP. On the other hand, for instance, Keycloak has an option to do a full sync of users from the LDAP server. In such cases, Keycloak does not have any way to know whether the users are still active. That's why I asked if there's any filter that I can apply to only fetch/sync active users.

@girish, is there a way to import only active users when syncing users with LDAP?
After setting up Keycloak, only the "active" users could log in to Keycloak. But when I try to import active users to Keycloak, all users were imported, including those who were marked as not active in my Cloudron Users dashboard.

@girish I think I didn’t make it clear enough earlier. The Keycloak app itself doesn’t support working as a LDAP server, but makes use of Cloudron LDAP to federate users from Cloudron. It works as a OIDC server. So it’s a pretty trivial setup..

@ianhyzy I finally managed to run Keycloak on Cloudron after a few days of trying. Most of the code is from this repository. The author seemed to have used a heavily modified configuration file, tailored to fit their needs. Also they had a two-step build system, where they pushed a customized Keycloak image to the hub, then the actual Cloudron app made use of the previously pushed image. That didn't seem necessary.

So, I wrote a simple build script that would:

• spawn a fresh installation of Keycloak
• export the default master realm configuration
• adds LDAP and SMTP configuration for Cloudron to the exported file

The app I put together is based on cloudron/base:3.2 and makes use of the freshly exported and customized configuration file, which IMO is more compatible with Keycloak updates.

I'll publish the code on Github this weekend. I'm planning to use this instance to install Outline because it now supports a custom OIDC auth provider.

Cheers!

A surprisingly simple, user-friendly and free help desk software with an integrated knowledgebase. It's a simple LAMP app though, so posting it here for everyone even if it does not get packaged. https://www.hesk.com/

Caveat: You can only "download" it; no docker images and such, so it's best suited to be installed in a folder as a LAMP application. You can see it in action at https://www.yarsahost.com/support/.

Context:
I discovered Hesk after testing dozens of other helpdesk software because according to this issue on Github, FreeScout team is not going to have any decent homepage. Custom homepage and knowledgebase come out of the box. I quite regret purchasing so many "modules" for Freescout because I decided to switch to Hesk. That's the reason why I shared it here. Cheers!

@girish Thanks for the hint! I was more interested in removing the footer than adding it back here, but I'll also let the footer stay.

How can I add HCaptcha to NodeBB registration page like in this forum? I also noticed that the 'Powered by NodeBB' footer is gone. How can I do that?

@girish I don't remember creating any folder myself, so I can't tell how it got created there. None of my other Cloudron instances had this issue so it might have happened somehow. I don't have any custom nginx config.

Maybe removing the tmp folder could have solved the issue without the -r flag. The error cp: -r not specified; omitting directory '/home/yellowtent/boxdata/certs/tmp' meant it couldn't copy the tmp folder because -r flag was missing. Also, I added -r because the error message hinted me to do so and it fixed the issue.

Finally, I fixed the issue by modifying the migration file. Adding -r to the cp command, and then manually restarting Cloudron /home/yellowtent/box/setup/start.sh fixed the issue for me. I'm surprised that no other Cloudron instances had this issue.

File: /home/yellowtent/box/migrations/20210505223829-blobs-migrate-certs.js Line 43:

child_process.execSync(`cp -r ${OLD_CERTS_DIR}/* ${NEW_CERTS_DIR}`); // this way we copy the non-migrated ones like .host, .user etc as well

This thread is a copy of the emails I sent to the support statff. I posted here so it might help someone else in this situation.