Applications Azure

EGroupware 26 Collaboration Suite on Ubuntu 24.04 on Azure User Guide

| Product: EGroupware 26 Collaboration Suite on Ubuntu 24.04 LTS on Azure

Overview

EGroupware is a mature open source collaboration and groupware suite used by businesses, public sector bodies, schools and non profit organisations to run shared calendars, contacts, projects and documents on infrastructure they control. It brings together a group calendar with resource booking, address books, InfoLog for tasks and tickets, a versioned file manager, project manager, time sheet, wiki, bookmarks and news, all behind one sign in with fine grained per group access control. Calendars and contacts synchronise to phones, tablets and desktop clients over CalDAV and CardDAV, and the mail app connects to an IMAP server you already run. The cloudimg image ships EGroupware 26 served by Apache and PHP 8.3 on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. The installer is pre completed and the setup console is locked away, so the suite is ready the moment the instance boots. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306) and keeps its data on a dedicated Azure data disk. A unique administrator password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • EGroupware 26 served by Apache with PHP 8.3, managed by systemd
  • A bundled MariaDB server holding the EGroupware database, already installed and ready
  • The installer pre completed and the setup console locked away behind a denial, so no installer is ever exposed
  • A per VM administrator password generated on first boot and recorded in a root only file
  • No shipped default login: every password ships rotated to a discarded random and the real per VM values are set on first boot
  • MariaDB bound to 127.0.0.1 only, never exposed to the network
  • A dedicated Azure data disk carrying both the MariaDB database and EGroupware's file store
  • An address agnostic configuration, so the suite works on the public IP, a private address or your own DNS name with nothing to reconfigure
  • Host only session cookies, so sign in works whether you browse by IP or by a DNS name
  • apache2.service and mariadb.service as enabled systemd units
  • An unauthenticated /healthz endpoint for Azure Load Balancer health probes
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point for a team; move up to Standard_D2s_v3 or larger for many concurrent users, large file stores or heavy calendar use. NSG inbound: allow 22/tcp from your management network, 80/tcp for the application and 443/tcp if you terminate TLS on the VM. The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.

Step 1 - Deploy from the Azure Marketplace

In the Azure portal choose Create a resource, search for EGroupware 26 Collaboration Suite on Ubuntu 24.04 LTS by cloudimg, and select Create. Pick your subscription, resource group and region, choose the Standard_B2s size, select SSH public key authentication with the username azureuser, and allow inbound 22, 80 and 443. The image attaches its own 30 GiB data disk for your database and file store, so you do not need to add one.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name egroupware \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --generate-ssh-keys \
  --public-ip-sku Standard

Then open ports 80 and 443:

az vm open-port --resource-group <your-rg> --name egroupware --port 80,443

Step 3 - Confirm the services are running

SSH to the VM as azureuser and confirm Apache and MariaDB are active. Note that MariaDB is bound to 127.0.0.1:3306 only, while Apache serves on port 80.

systemctl is-active apache2 mariadb

The first boot service is a one shot job rather than a long running service, so ask it for its result rather than whether it is active. It reports success once it has generated this VM's credentials:

systemctl show egroupware-firstboot --property=Result --value

It is normal and correct for systemctl is-active egroupware-firstboot to report inactive after the job has run, and especially after a reboot: the unit is guarded by a sentinel file so that it generates your credentials exactly once and never overwrites them on a later boot. Result=success is the answer that matters.

ss -tlnp | grep -E ':80 |:3306 ' | sed 's/  */ /g'

The apache2 and mariadb services reporting active and the egroupware first boot job reporting Result success, with Apache listening on port 80 and MariaDB bound to loopback 127.0.0.1:3306

Step 4 - Retrieve the per VM administrator password

The first boot service generates an administrator password unique to your VM and writes it to a root only file. Read it over SSH:

sudo cat /root/egroupware-credentials.txt

The per VM EGroupware credentials file, showing the admin login user, the generated password masked, the loopback MariaDB details and the setup console credentials

Unlike many web applications, this image bakes no address into its configuration: EGroupware is configured with a relative web server URL, so it works unchanged on the VM's public IP, on its private address, on a DNS name, or behind a TLS terminating proxy. There is nothing to reconfigure when your address changes.

Step 5 - Sign in

Browse to http://<vm-ip>/egroupware/ and sign in with the username admin and the password from the credentials file. Browsing http://<vm-ip>/ redirects you there.

The EGroupware sign in page showing the username, password and second factor fields, the remember me option and the login button over the EGroupware branding

After signing in you land in the suite with the application bar across the top, a search box, and the calendar open. EGroupware may offer to start a working time entry on your first sign in; answer No or Don't ask again! if you do not use the time sheet.

Step 6 - The calendar

The calendar is EGroupware's centrepiece. It opens on the current day with a month picker, your favourites and an open ToDo panel alongside. You can switch between day, week, month and year views, book resources and meeting rooms, invite other users and see their free or busy time, and set up recurring appointments. Calendars are shared according to the access control you grant each group, and they synchronise to phones and desktop clients over CalDAV.

The EGroupware calendar signed in as the administrator, showing the July 2026 month picker, the day grid with hourly slots, the favourites panel and the open ToDo's panel

Step 7 - The address book

Address Book holds your shared and personal contacts, with business and home fields, organisations, distribution lists and categories. A fresh instance contains the administrator's own contact and EGroupware's internal SiteMgr record. Contacts sync to phones and desktop clients over CardDAV, and they link through to InfoLog entries, calendar events and projects.

The EGroupware address book showing the contact list with the administrator entry and the SiteMgr record, the column headers for name, organisation, business address and phone numbers, and the all contacts and all address books filters

Step 8 - InfoLog for tasks and tickets

InfoLog is EGroupware's tracker for tasks, notes, phone calls and tickets. A fresh instance starts empty, as shown below. Entries carry a type, status, priority, start and due dates, an owner and a responsible user, and they can be linked to a contact, a calendar event or a project so everything about a piece of work stays together. The filters down the page let you build and save views such as your own open tasks or everything due this week.

The EGroupware InfoLog application on a fresh instance, showing the empty task list with the type, status, subject, priority, start date, due date, owner and responsible columns, and the search and column filters

Step 9 - Connect your own mail server

EGroupware's mail app is a client, not a mail server: this image deliberately ships no SMTP or IMAP daemon, so nothing is listening on a mail port and there is no relay to secure. Sign in as the administrator and go to Admin > Mail accounts to point the mail app at an IMAP and SMTP server you already run, or at a hosted provider. The rest of the suite, including the calendar, address book, InfoLog, file manager and project manager, works fully without any mail server configured. The same Admin area connects EGroupware to LDAP or Active Directory if you would rather authenticate against your existing directory than the bundled database.

Step 10 - No known or default credentials

This image ships with no usable login. Every password baked at build time, the administrator, the database, and the setup console credentials, is rotated to a random value that is discarded and never recorded, and the first boot service sets fresh values unique to your VM before EGroupware serves a single request. The check below confirms that the per VM administrator authenticates through EGroupware's own authentication path while a blank password and common weak guesses are all rejected.

sudo mariadb --protocol=socket -uroot -N -e "SELECT CONCAT(account_lid,'  (',account_type,')') FROM egroupware.egw_accounts WHERE account_type='u'"
sudo bash /usr/local/sbin/egroupware-cred-roundtrip.sh

The EGroupware user accounts listing the admin login and EGroupware's internal anonymous record, and the round trip check confirming the per VM administrator authenticates via EGroupware's own auth path while blank and weak guesses are rejected

The listing above shows a second account named anonymous alongside admin. That account is not a login for you or your users: EGroupware creates it during installation and uses it internally to serve file manager share links to people who are not signed in. It is created with a random password of EGroupware's own making, this image rotates that password again to a fresh random value unique to your VM on first boot, and the check above confirms it rejects every guessable credential. admin is the only account intended to sign in on a new instance; create your real users under Admin > User accounts.

Change the administrator password to one of your own under Preferences > Password once you have signed in for the first time.

Step 11 - Verify the stack and where your data lives

Confirm the installed release, the health endpoint and the data disk layout. Both the MariaDB database and EGroupware's file store, which holds every file your users upload, live on the dedicated data disk, bind mounted into place, so your data is kept off the operating system disk.

grep -oE "maintenance_release'\] = '[^']+'" /var/www/egroupware/api/setup/setup.inc.php | sed "s/.*'\(.*\)'/EGroupware \1/"
curl -sI http://127.0.0.1/healthz | sed -n 1p
findmnt -no SOURCE,TARGET,FSTYPE,SIZE /data; findmnt -no SOURCE,TARGET /var/lib/mysql; findmnt -no SOURCE,TARGET /var/www/egroupware/files

The installed EGroupware release, the healthz endpoint returning 200, and the ext4 data disk mounted at /data and bind mounted onto both the MariaDB datadir and the EGroupware file store

EGroupware reports two version numbers and both are correct: the release above is the shipped maintenance release, while the database records a separate internal schema version that only changes when the table layout does.

Adding your own domain and TLS

Point a DNS A record at the VM's public IP, then issue a certificate with Certbot. Install it and request a certificate for your domain:

sudo apt-get update && sudo apt-get install -y certbot python3-certbot-apache
sudo certbot --apache -d groupware.your-domain.example --agree-tos -m you@your-domain.example --redirect

Certbot configures Apache for HTTPS and installs a renewal timer. Because EGroupware is configured with a relative web server URL, there is nothing to change inside the application afterwards: it picks up your domain automatically.

Backing up

Everything worth keeping is on the data disk: the MariaDB database and the file store. For a full machine level backup, take an Azure snapshot of the data disk, or dump the database and archive the file store:

sudo mysqldump --protocol=socket -uroot --single-transaction egroupware > /var/tmp/egroupware-backup.sql
sudo tar -czf /var/tmp/egroupware-files.tar.gz -C /data/egroupware files

Store both off the VM. The simplest scheduled option is an Azure Backup policy on the VM plus its data disk. EGroupware also has its own backup export under the setup console, which writes a portable dump of a domain.

Security notes

  • The setup console is denied at the web server, so the installer can never be reached or re run against your instance. If you ever need it for a major version upgrade, re enable it temporarily with sudo a2disconf cloudimg-egroupware-lockdown && sudo systemctl reload apache2, then put it back immediately afterwards.
  • header.inc.php, which holds the database password and the setup console credentials, is denied at the web server and is 0640 root:www-data on disk, so it can be fetched neither over HTTP nor by an unprivileged user on the VM.
  • EGroupware's file store is denied at the web server: uploaded files are served only through the file manager, which applies your access control, never as static files.
  • The bundled MariaDB listens on 127.0.0.1:3306 only. Keep port 3306 closed in your NSG; nothing outside the VM needs it.
  • The administrator, database and setup console passwords are unique to your VM, generated on first boot, and written only to /root/egroupware-credentials.txt with 0600 root:root permissions.
  • Session cookies are issued host only, so sign in behaves correctly whether you browse the instance by IP or through a DNS name.
  • Serve the suite over HTTPS before you put real data in it, and restrict 22/tcp to your management network.
  • The base OS is fully patched at build time and unattended security upgrades remain enabled on your VM.

Trademark

EGroupware is a trademark of its respective owner. cloudimg is not affiliated with, endorsed by, or sponsored by EGroupware GmbH or the EGroupware project. This image packages the open source EGroupware community software, which is distributed under the GNU General Public License version 2 or later, and all product and company names are the property of their respective holders.

Support

cloudimg provides 24/7 technical support for this image by email (support@cloudimg.co.uk) and live chat, covering deployment, configuration, upgrades, performance tuning and MariaDB administration. Critical issues receive a one hour average response time.