Setup:Installation Guide/Docker: Difference between revisions

Back to version history
Browse history interactively
← Older edit
VisualWikitext
No edit summary
Hua Jing (talk | contribs)
32 edits
No edit summary
Tag: 2017 source edit
 
(49 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Textbox
|boxtype=important
|header=Migration from 4.4
|text=With BlueSpice 4.5 there were some important changes to the container portfolio:
# There are no "all-in-one" containers anymore. Neither for FREE, nor for PRO and FARM editions
# The "distributed-services" setup for PRO and FARM edition has completely been reworked
If you are upgrading from one of the above-mentioned setups, please refer to the [[{{FULLPAGENAME}}/Migration_4.4 to 4.5|migration guide]]
|icon=yes
}}


__TOC__
== Overview ==
Starting with version 4.5, BlueSpice MediaWiki can be installed with a stack of Docker container images.


===Overview===
Everything is built in a modular way to allow different types of setups.
Since version 4.5, BlueSpice MediaWiki can be easily installed using a stack of Docker container images. Everything is build in a modular way to allow different types of setups.


The most common cases are
The most common cases are:
# "All-in-one" (with and without Let's Encrypt)
# "All-in-one" (with and without Let's Encrypt)
# Custom database and search service
# Custom database and search service
# Custom load balancer / proxy
# Custom load balancer / proxy


=== Step 1: Get the stack ===
== Architecture ==
Get "docker-compose" files from https://bluespice.com/de/download/
<drawio filename="Setup:Installation_Guide_Docker-Achitecture" alt="Diagram of BlueSpice Docker Stack Architecture" />
wget <nowiki>https://bluespice.com/filebase/docker-deployment-script</nowiki> \
 
    && unzip docker-deployment-script \
'''Notes'''
    && cd docker-deployment-script/compose
* Internal HTTP connections may use non-standard ports. Those are noted next to the respective services.
** HTTP (in-secure) is only used for internal communication within the virtual network the stack is operated in. All connections to the client use TLS.
* Proprietary ports (esp. for database connections) are noted next to the respective services.
* There may be additional services and ports in use, based on the setup. Some examples:
** When using LDAP based authentication an LDAPS connection (port <code>636</code>) is used from the <code>bluespice/wiki</code> containers to the LDAP-Server
** When using Kerberos authentication, a connection (port <code>88</code>) is used from the <code>bluespice/kerberos-proxy</code> containers to the Kerberos-Server
** When using DeepL or OpenAI services, a HTTPS connection (port <code>443</code>) is used from the <code>bluespice/wiki</code> containers to to the respective service
** When using OpenIDConnect authentication, a HTTPS connection (port <code>443</code>) is used from the <code>bluespice/wiki</code> "task" container to to the authentication provider
** When using "Let's Encrypt" Certbot, a HTTPS connection (port <code>443</code>) is used from the <code>acme-companion</code> container to the "Let's Encrypt" service
 
== Step 1: Get the stack ==
Load project <code>bluespice-deploy</code> from https://github.com/hallowelt/bluespice-deploy/releases/latest and enter the sub-directory <code>compose</code> for Docker Compose files.
 
For example, run:
<syntaxhighlight lang=sh>
wget https://github.com/hallowelt/bluespice-deploy/archive/refs/tags/5.1.1.zip \
  && unzip 5.1.1.zip \
  && cd bluespice-deploy-5.1.1/compose
</syntaxhighlight>


The directory contains the following files:
The directory contains the following files:
{| class="wikitable"
{| class="wikitable"
|+
|+
! style="width:350px;" |Filename
! style="width:375px;" |Filename
!Type
! style="" |Type
!Mandatory
! style="" |Comment
!Comment
|-
| style="width:375px;" |<code>bluespice-deploy</code>
| style="" |shell script
| style="" |Start-up script, wrapping command <code>docker compose</code> and service <code>yml</code> files.<br>Additional service <code>yml</code> files can be loaded by adding <code>-f <filename> </code>.
|-
|-
| style="width:350px;" |<code>bluespice-deploy</code>
| style="width:375px;" |<code>docker-compose.main.yml</code>
|bash-script
| style="" |yml
|false
| style="" |Main containers of the wiki (<code>wiki-web</code> and <code>wiki-task</code>).
|Wrapper for general start-up of needed containers
|-
|-
| style="width:350px;" |<code>bluespice-prepare</code>
| style="width:375px;" |<code>docker-compose.persistent-data-services.yml</code>
|bash-script
| style="" |yml
|false
| style="" |Containers of database and search services, storing persistent data onto the file system.<br />Optionally with external MySQL/MariaDB and OpenSearch one can skip loading this <code>.yml</code> in <code>bluespice-deploy</code>. Please then wire your services properly in the <code>.env</code> file.
|Prepare Folder and Permissions before first start also registers the service at the operating system
|-
|-
| style="width:350px;" |<code>bluespice.service</code>
| style="width:375px;" |<code>docker-compose.stateless-services.yml</code>
|service-script
| style="" |yml
|false
| style="" |Containers for caching, PDF rendering, formula-rendering and diagram editing.
|Proper handling of the containers on reboot
|-
|-
| style="width:350px;" |<code>docker-compose.main.yml</code>
| style="width:375px;" |<code>docker-compose.helper-service.yml</code>
|yml
| style="" |yml
|true
| style="" |Helper containers for file system preparation and automated BlueSpice upgrade.<br>These containers exit automatically after finishing tasks.
|Main application services/ run by <code>bluespice-deploy</code>
|-
| style="width:375px;" |<code>docker-compose.proxy.yml</code>
| style="" |yml
| style="" |Container of proxy service. Can be replaced by existing proxy/load-balancer infrastructure.
|-
|-
| style="width:350px;" |<code>docker-compose.persistent-data-services.yml</code>
| style="width:375px;" |<code>docker-compose.proxy-letsencrypt.yml</code>
|yml
| style="" |yml
|false
| style="" |Additional service for auto-renewal of "Let's Encrypt" certificates.<br>Only required when using the Let's Encrypt service and having no other TLS termination.
|Database and search/ run by <code>bluespice-deploy</code>
|-
|-
| style="width:350px;" |<code>docker-compose.stateless-services.yml</code>
| style="width:375px;" |<code>docker-compose.kerberos-proxy.yml</code>
|yml
| style="" |yml
|true
| style="" |Additional proxy for Kerberos based authentication.
|PDF-Renderer/Cache/Formula/Diagram-Service
|-
|-
| style="width:350px;" |<code>docker-compose.proxy.yml</code>
| style="width:375px;" |<code>docker-compose.collabpads-service.yml</code>
|yml
|yml
|false, but recommended
|Containers of back-end services for [[Manual:Extension/CollabPads|CollabPads]] (included in Pro and Farm editions).
|Proxy Service
|-
|-
| style="width:350px;" |<code>docker-compose.proxy-letsencrypt.yml</code>
| style="width:375px;" |<code>.env.sample</code>
|yml
| style="" |text
|false
| style="" |Sample for creating <code>.env</code> that defines key environment variables.
|Additional auto-renewal service for "Let's Encrypt" certificates
|-
|-
| style="width:350px;" |<code>docker-compose.kerberos-proxy.yml</code>
| style="width:375px;" |<code>bluespice.service.demo</code>
|yml
| style="" |service script
|false
| style="" |Demo-file for control the BlueSpice stack as a <code>systemctl</code> service.<br>One can create e.g a <code>/etc/systemd/system/bluespice.service</code>.
|Additional proxy for Kerberos based authenication
|}
|}


For convenience, the <code>bluespice-deploy</code> script wraps the first four <code>yml</code> files by default. This includes the main wiki application and also required backend services, like a database, search and application cache.
== Step 2: Set up environment variables ==
 
Create your <code>.env</code> based on the sample file <code>.env.sample</code>.
Additional services can be loaded by adding <code>-f <filename> </code>.
 
Example:
bluespice-deploy \
    -f docker-compose.proxy-letsencrypt.yml \
    up -d
 
This will start the stack with "Let's Encrypt" certificates. For details, please refer to section [[#SSL certificates| SSL certificates]].
 
===Step 2: Set up environment variables===
Create <code>.env</code> file according to existing or state-to-be installation.


Example:
Example:
DATADIR=/data/bluespice
<pre>
VERSION=4.5
# set or use your data directory
EDITION=pro
DATADIR=/data/bluespice
BACKUP_HOUR=04
VERSION=5.1.1
EDITION=free
WIKI_NAME=BlueSpice
BACKUP_HOUR=04
WIKI_LANG=en
WIKI_PASSWORDSENDER=no-reply@wiki.company.local
WIKI_EMERGENCYCONTACT=no-reply@wiki.company.local
WIKI_HOST=wiki.company.local
WIKI_PORT=443
WIKI_PROTOCOL=https
DB_USER=bluespice
DB_PASS=...
DB_HOST=database
DB_NAME=bluespice
DB_PREFIX=
SMTP_HOST=mail.company.local
SMTP_PORT=25
SMTP_USER=...
SMTP_PASS=...
SMTP_ID_HOST=...
{{Textbox|boxtype=note|header=Different editions|text=The example shows <code>EDITION=pro</code>. Be aware that for <code>pro</code> and <code>farm</code> you need to be logged into <code>docker.bluspice.com</code>.|icon=yes}}


=== Step 3: Prepare data directories===
WIKI_NAME=BlueSpice
Run <code>bluespice-prepare</code> script, helping you set up correct folder structure and permissions. Also installing a service for proper handling of the containers on reboots. Make sure to run this command with in a privileged user context (like <code>root</code>), as it will set permissions on the newly created directories.
WIKI_LANG=en
WIKI_PASSWORDSENDER=no-reply@wiki.company.local
WIKI_EMERGENCYCONTACT=no-reply@wiki.company.local
WIKI_HOST=wiki.company.local
WIKI_PORT=443
WIKI_PROTOCOL=https
WIKI_BASE_PATH=


=== Step 4: Start the stack ===
DB_USER=set_or_use_your_db_user_name
{{Textbox
DB_PASS=SET_OR_USE_YOUR_DB_PASS_WORD
|boxtype=important
DB_ROOT_USER=root
|header=Initial installation
DB_ROOT_PASS=$DB_PASS
|text=When starting the stack the first time, the <code>wiki-task</code> container will automatically perform the installation. It may take a couple of minutes for the process to set up the database and complete. Once it is finished, the password for the default <code>Admin</code> user can be found in <code>$DATADIR/wiki/adminPasssword</code>.
DB_HOST=database
|icon=yes
DB_NAME=bluespice
}}
DB_PREFIX=
Use <code>bluespice-deploy up -d</code> to start the stack, once the <code>.env</code> file and the "data directories" are ready. Once all containers are shown as "ready" you can navigate to <code>$WIKI_PROTOCOL://$WIKI_HOST:$WIKI_PORT</code> (e.g. <code><nowiki>https://wiki.company.local</nowiki></code>) in your favorite web browser and start using the application.


=== Additional options ===
SMTP_HOST=mail.company.local
SMTP_PORT=25
SMTP_USER=...
SMTP_PASS=...
SMTP_ID_HOST=...


==== SSL certificates ====
LETSENCRYPT=false
For using Let's Encrypt Certificates just add <code>docker-compose.proxy-letsencrypt.yml</code> in your <code>bluespice-deploy</code> file.
</pre>
{{Textbox|boxtype=note|header=Different editions|text=This config works for all editions, but the main image of Pro or Farm edition needs to be obtained differently, see [[{{FULLPAGENAME}}/Pro and Farm edition|Pro and Farm edition]]|icon=yes}}


{{Textbox
== Step 3: Start the stack ==
|boxtype=tip
Use <code>bluespice-deploy up -d</code> to start the stack. Once all containers are shown as "ready" you can navigate to <code>$WIKI_PROTOCOL://$WIKI_HOST:$WIKI_PORT</code> (e.g. <code><nowiki>https://wiki.company.local</nowiki></code>) in your preferred web browser and start using the application.
|header=Self-signed certificates
|text=For using self-signend Certificates please put <code><bluespice-wiki.com>.crt</code> and <code><bluespice-wiki.com>.key</code> with the exact name of your Wikis URL in <code>${VOLUMES_DIR}/nginx/certs</code>
|icon=yes
}}


If activating SSL after first creation of wiki please change <code>$wgServer</code> in <code>${VOLUMES_DIR}/bluespice-data/LocalSettings.php</code>
When starting the stack the first time, the <code>wiki-task</code> container will automatically perform the installation. It may take a couple of minutes for the process to set up the database and complete. Once it is finished, the password for the default <code>Admin</code> user can be found in <code>$DATADIR/wiki/initialAdminPassword</code>.


to <code><nowiki>https://bluespice-wiki.com</nowiki></code>
== Additional options ==


also link your certificate to the bluespice-container in your <code>docker-compose.yml</code>-File:
=== Configs for <code>LocalSettings.php</code> ===
Instead of exposing the <code>LocalSettings.php</code> for [[mediawikiwiki:Manual:LocalSettings.php|adding additional configurations]], the stack offers two entry points. After the initial installation, you can add your configs to two files in <code>${DATADIR}/wiki/bluespice/</code>:


<code>- ${VOLUMES_DIR}/nginx/certs/<FQDNofyourWiki>.crt:/usr/local/share/ca-certificates/<FQDNofyourWiki>.crt:ro</code>
* <code>pre-init-settings.php</code>  - Set configs before the initialization of BlueSpice's debug logging, libraries, skins, extensions and default settings.  Configs set here can be picked up by the init process.
* <code>post-init-settings.php</code> - Set configs after the initialization, manipulating configs that have been set by the init process.
For example, if you add the following lines to <code>pre-init-settings.php</code>, you can then read outputted debug logs (if any) in <code>${DATADIR}/wiki/bluespice/logs/debug.log</code>:<syntaxhighlight lang="php">
$GLOBALS['bsgDebugLogGroups']['exception'] = "/data/bluespice/logs/debug.log";
$wgShowExceptionDetails = true;
</syntaxhighlight>


Please restart containers after changing/adding SSL files.
=== Maintenance scripts ===
To run scripts from MediaWiki or from other extensions, please use the <code>wiki-task</code> container, which handles all back-end jobs and processes. You can connect into the container in two different ways:


====Operating system level service====
* run <code>./bluespice-deploy exec -it wiki-task bash</code> in the <code>compose</code> directory for Docker Compose files
* or alternatively, run <code>docker exec -it bluespice-wiki-task bash</code> wherever you are on the host machine


{{Textbox
Inside the container you can enter the wiki's code base with <code>cd /app/bluespice/w</code> , where one can run scripts like <code>php maintenance/run.php update --quick</code>, <code>php extensions/BlueSpiceExtendedSearch/maintenance/updateWikiPageIndex.php</code> and so on.
|boxtype=tip
|header=Adding additional services
|text=expand the <code>ExecStart</code> parameter in the <code>/etc/systemd/system/bluespice.service</code>
Example:
ExecStart=<WORKDIR>/bluespice-deploy -f docker-compose.proxy-letsencrypt.yml up -f -d --remove-orphans
|icon=yes
}}


==== Custom wiki application configuration ====
=== SSL certificates ===
After the initial installation, the <code>${DATADIR}/wiki/bluespice/</code> contains two files that can be used to set custom application configuration as it may be found on [https://www.mediawiki.org mediawiki.org]:
To use a Let's Encrypt certificate for your domain name, set <code>LETSENCRYPT=true</code> in your <code>.env</code> file.


* <code>pre-init-settings.php</code> - Can be used to set config that can be picked up by  the init process
To use a self-signend certificate for your domain name, put its <code>.crt</code> and <code>.key</code> files in <code>${DATADIR}/proxy/certs</code>. For example, with <code>wiki.company.local</code> you should prepare <code>wiki.company.local.crt</code> and <code>wiki.company.local.key</code> files.
* <code>post-init-settings.php</code> - Can be used to manipulate configs that have been set by the init process


==== Custom database and search ====
=== Kerberos proxy ===
If you have a MySQL/MariaDB and an OpenSearch server running in your local network, you can remove <code>docker-compose.persistent-data-services.yml</code> entirely from your <code>bluespice-deploy</code>  file. Make sure to set the proper variables in the <code>.env</code> file.
For implicit authentication using Kerberos, an additional proxy must be used: <code>bluespice/kerberos-proxy</code> . The file <code>docker-compose.kerberos-proxy.yml</code> contains a common configuration. It can be used '''instead of''' the regular <code>docker-compose.proxy.yml</code> file inside <code>bluespice-deploy</code> .
 
====Kerberos proxy====
For implicit authenticationusing Kerberos, an additional proxy must be used: <code>bluespice/kerberos-proxy</code> . The file <code>docker-compose.kerberos-proxy.yml</code> contains a common configuration. It can be used '''instead of''' the regular <code>docker-compose.proxy.yml</code> file inside <code>bluespice-deploy</code> .


Make sure to have the files
Make sure to have the files
Line 186: Line 166:
The file <code>${DATADIR}/wiki/bluespice/pre-init-settings.php</code> can then be used to set up [[mediawikiwiki:LDAP_hub|"Extension:Auth_remoteuser" and the LDAP stack extensions]].
The file <code>${DATADIR}/wiki/bluespice/pre-init-settings.php</code> can then be used to set up [[mediawikiwiki:LDAP_hub|"Extension:Auth_remoteuser" and the LDAP stack extensions]].


====SAML authentication====
=== SAML authentication ===
 
During the initial installation a certificate for message signing will automatically be created. It can be found in <code>${DATADIR}/wiki/simplesamlphp/certs/</code>.
During the initial installation a certificate for message signing will automatically be created. It can be found in <code>${DATADIR}/wiki/simplesamlphp/certs/</code>.


In order to configure a remote IdP, one must copy the IdP metadata XML to a file called <code>${DATADIR}/wiki/simplesamlphp/simplesamlphp/saml_idp_metadata.xml</code>. The SP metadata can then be obtained via <code><nowiki>https://{{$WIKI_HOST}}/_sp/module.php/saml/sp/metadata.php/default-sp</nowiki></code>. It must be configured in the remote IdP.
In order to configure a remote IdP, one must copy the IdP metadata XML to a file called <code>${DATADIR}/wiki/simplesamlphp/saml_idp_metadata.xml</code>. The SP metadata can then be obtained via <code><nowiki>https://{{$WIKI_HOST}}/_sp/module.php/saml/sp/metadata.php/default-sp</nowiki></code>. It must be configured in the remote IdP.


{{Textbox
{{Textbox
Line 214: Line 193:
After that, the authentication plugin configuration can be applied in [[Manual:Extension/BlueSpiceConfigManager|Special:BlueSpiceConfigManager]] under "Authentication".
After that, the authentication plugin configuration can be applied in [[Manual:Extension/BlueSpiceConfigManager|Special:BlueSpiceConfigManager]] under "Authentication".


==== OpenID Connect authentication ====
=== OpenID Connect authentication ===


The extensions "PluggableAuth" and "OpenIDConnect" must be enabled on the wiki. To do so, add<syntaxhighlight lang="php">
The extensions "PluggableAuth" and "OpenIDConnect" must be enabled on the wiki. To do so, add<syntaxhighlight lang="php">

Latest revision as of 13:18, 28 July 2025

Overview

Starting with version 4.5, BlueSpice MediaWiki can be installed with a stack of Docker container images.

Everything is built in a modular way to allow different types of setups.

The most common cases are:

  1. "All-in-one" (with and without Let's Encrypt)
  2. Custom database and search service
  3. Custom load balancer / proxy

Architecture

Diagram of BlueSpice Docker Stack Architecture

Notes

  • Internal HTTP connections may use non-standard ports. Those are noted next to the respective services.
    • HTTP (in-secure) is only used for internal communication within the virtual network the stack is operated in. All connections to the client use TLS.
  • Proprietary ports (esp. for database connections) are noted next to the respective services.
  • There may be additional services and ports in use, based on the setup. Some examples:
    • When using LDAP based authentication an LDAPS connection (port 636) is used from the bluespice/wiki containers to the LDAP-Server
    • When using Kerberos authentication, a connection (port 88) is used from the bluespice/kerberos-proxy containers to the Kerberos-Server
    • When using DeepL or OpenAI services, a HTTPS connection (port 443) is used from the bluespice/wiki containers to to the respective service
    • When using OpenIDConnect authentication, a HTTPS connection (port 443) is used from the bluespice/wiki "task" container to to the authentication provider
    • When using "Let's Encrypt" Certbot, a HTTPS connection (port 443) is used from the acme-companion container to the "Let's Encrypt" service

Step 1: Get the stack

Load project bluespice-deploy from https://github.com/hallowelt/bluespice-deploy/releases/latest and enter the sub-directory compose for Docker Compose files.

For example, run: 

wget https://github.com/hallowelt/bluespice-deploy/archive/refs/tags/5.1.1.zip \
  && unzip 5.1.1.zip \
  && cd bluespice-deploy-5.1.1/compose

The directory contains the following files:

Filename Type Comment
bluespice-deploy shell script Start-up script, wrapping command docker compose and service yml files.
Additional service yml files can be loaded by adding -f <filename> .
docker-compose.main.yml yml Main containers of the wiki (wiki-web and wiki-task).
docker-compose.persistent-data-services.yml yml Containers of database and search services, storing persistent data onto the file system.
Optionally with external MySQL/MariaDB and OpenSearch one can skip loading this .yml in bluespice-deploy. Please then wire your services properly in the .env file.
docker-compose.stateless-services.yml yml Containers for caching, PDF rendering, formula-rendering and diagram editing.
docker-compose.helper-service.yml yml Helper containers for file system preparation and automated BlueSpice upgrade.
These containers exit automatically after finishing tasks.
docker-compose.proxy.yml yml Container of proxy service. Can be replaced by existing proxy/load-balancer infrastructure.
docker-compose.proxy-letsencrypt.yml yml Additional service for auto-renewal of "Let's Encrypt" certificates.
Only required when using the Let's Encrypt service and having no other TLS termination.
docker-compose.kerberos-proxy.yml yml Additional proxy for Kerberos based authentication.
docker-compose.collabpads-service.yml yml Containers of back-end services for CollabPads (included in Pro and Farm editions).
.env.sample text Sample for creating .env that defines key environment variables.
bluespice.service.demo service script Demo-file for control the BlueSpice stack as a systemctl service.
One can create e.g a /etc/systemd/system/bluespice.service.

Step 2: Set up environment variables

Create your .env based on the sample file .env.sample.

Example: 

# set or use your data directory 
DATADIR=/data/bluespice
VERSION=5.1.1
EDITION=free
BACKUP_HOUR=04

WIKI_NAME=BlueSpice
WIKI_LANG=en
WIKI_PASSWORDSENDER=no-reply@wiki.company.local
WIKI_EMERGENCYCONTACT=no-reply@wiki.company.local
WIKI_HOST=wiki.company.local
WIKI_PORT=443
WIKI_PROTOCOL=https
WIKI_BASE_PATH=

DB_USER=set_or_use_your_db_user_name
DB_PASS=SET_OR_USE_YOUR_DB_PASS_WORD
DB_ROOT_USER=root 
DB_ROOT_PASS=$DB_PASS
DB_HOST=database
DB_NAME=bluespice
DB_PREFIX=

SMTP_HOST=mail.company.local
SMTP_PORT=25
SMTP_USER=...
SMTP_PASS=...
SMTP_ID_HOST=...

LETSENCRYPT=false
Different editions This config works for all editions, but the main image of Pro or Farm edition needs to be obtained differently, see Pro and Farm edition


Step 3: Start the stack

Use bluespice-deploy up -d to start the stack. Once all containers are shown as "ready" you can navigate to $WIKI_PROTOCOL://$WIKI_HOST:$WIKI_PORT (e.g. https://wiki.company.local) in your preferred web browser and start using the application.

When starting the stack the first time, the wiki-task container will automatically perform the installation. It may take a couple of minutes for the process to set up the database and complete. Once it is finished, the password for the default Admin user can be found in $DATADIR/wiki/initialAdminPassword.

Additional options

Configs for LocalSettings.php

Instead of exposing the LocalSettings.php for adding additional configurations, the stack offers two entry points. After the initial installation, you can add your configs to two files in ${DATADIR}/wiki/bluespice/:

  • pre-init-settings.php - Set configs before the initialization of BlueSpice's debug logging, libraries, skins, extensions and default settings. Configs set here can be picked up by the init process.
  • post-init-settings.php - Set configs after the initialization, manipulating configs that have been set by the init process.

For example, if you add the following lines to pre-init-settings.php, you can then read outputted debug logs (if any) in ${DATADIR}/wiki/bluespice/logs/debug.log:

$GLOBALS['bsgDebugLogGroups']['exception'] = "/data/bluespice/logs/debug.log";
$wgShowExceptionDetails = true;

Maintenance scripts

To run scripts from MediaWiki or from other extensions, please use the wiki-task container, which handles all back-end jobs and processes. You can connect into the container in two different ways:

  • run ./bluespice-deploy exec -it wiki-task bash in the compose directory for Docker Compose files
  • or alternatively, run docker exec -it bluespice-wiki-task bash wherever you are on the host machine

Inside the container you can enter the wiki's code base with cd /app/bluespice/w , where one can run scripts like php maintenance/run.php update --quick, php extensions/BlueSpiceExtendedSearch/maintenance/updateWikiPageIndex.php and so on.

SSL certificates

To use a Let's Encrypt certificate for your domain name, set LETSENCRYPT=true in your .env file.

To use a self-signend certificate for your domain name, put its .crt and .key files in ${DATADIR}/proxy/certs. For example, with wiki.company.local you should prepare wiki.company.local.crt and wiki.company.local.key files.

Kerberos proxy

For implicit authentication using Kerberos, an additional proxy must be used: bluespice/kerberos-proxy . The file docker-compose.kerberos-proxy.yml contains a common configuration. It can be used instead of the regular docker-compose.proxy.yml file inside bluespice-deploy .

Make sure to have the files

  • ${DATADIR}/kerberos/krb5.conf
  • ${DATADIR}/kerberos/kerberos.keytab

set up properly.

The file ${DATADIR}/wiki/bluespice/pre-init-settings.php can then be used to set up "Extension:Auth_remoteuser" and the LDAP stack extensions.

SAML authentication

During the initial installation a certificate for message signing will automatically be created. It can be found in ${DATADIR}/wiki/simplesamlphp/certs/.

In order to configure a remote IdP, one must copy the IdP metadata XML to a file called ${DATADIR}/wiki/simplesamlphp/saml_idp_metadata.xml. The SP metadata can then be obtained via https://{{$WIKI_HOST}}/_sp/module.php/saml/sp/metadata.php/default-sp. It must be configured in the remote IdP.

Test authentication You can test authentication directly within the SimpleSAMLphp application. To do so, navigate to https://{{$WIKI_HOST}}/_sp/module.php/admin and log in with admin and the INTERNAL_SIMPLESAMLPHP_ADMIN_PASS found in ${DATADIR}/wiki/.wikienv


Next, the extensions "PluggableAuth" and "SimpleSAMLphp" must be enabled on the wiki. To do so, add 

wfLoadExtensions( [
    'PluggableAuth',
    'SimpleSAMLphp'
] );

to the ${DATADIR}/wiki/bluespice/post-init-settings.php. Run 

./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick

to complete the installation.

After that, the authentication plugin configuration can be applied in Special:BlueSpiceConfigManager under "Authentication".

OpenID Connect authentication

The extensions "PluggableAuth" and "OpenIDConnect" must be enabled on the wiki. To do so, add

wfLoadExtensions( [
    'PluggableAuth',
    'OpenIDConnect'
] );

to the ${DATADIR}/wiki/bluespice/post-init-settings.php. Run 

./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick

to complete the installation.

After that, the authentication plugin configuration can be applied in Special:BlueSpiceConfigManager under "Authentication".


PDF exclude - start

To submit feedback about this documentation, visit our community forum.

PDF exclude - end
Retrieved from "https://en.wiki.bluespice.com/w/index.php?title=Setup:Installation_Guide/Docker&oldid=12660"