Storage Azure

SeedDMS 6 Document Management System on Ubuntu 24.04 on Azure User Guide

| Product: SeedDMS 6 Document Management System on Ubuntu 24.04 LTS on Azure

Overview

SeedDMS is a mature, web based open source Document Management System. It organises files into a browsable folder tree with full version history, controls who can see and edit each folder or document through per object access control lists, runs documents through review and approval workflows, tags them with categories and attributes, and finds them again with full text search. It also exposes a WebDAV endpoint and a REST API. The cloudimg image ships SeedDMS 6 served by nginx and PHP 8.3 FPM on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. The install wizard is pre completed and locked, so the platform is ready the moment the instance boots. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306). A unique administrator password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • SeedDMS 6 served by nginx and PHP 8.3 FPM, managed by systemd
  • A bundled MariaDB server holding the SeedDMS database, already installed and ready
  • The install wizard pre completed and locked, and the web install tool removed
  • A per VM administrator password generated on first boot and recorded in a root only file
  • No shipped default login: the well known SeedDMS admin / admin account is never shipped; the administrator password ships rotated to a discarded random and the real per VM password is set on first boot
  • MariaDB bound to 127.0.0.1 only, never exposed to the network
  • Document content stored under /var/lib/seeddms/data, kept separate from both the web root and the application code
  • nginx.service, php8.3-fpm.service and mariadb.service as enabled systemd units
  • An unauthenticated /healthz endpoint for Azure Load Balancer health probes
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point for a small team; step up to Standard_D2s_v3 for heavier document workloads. NSG inbound: allow 22/tcp from your management network and 80/tcp for the application (add 443/tcp if you terminate TLS on the VM). The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for SeedDMS by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create then Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name seeddms \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --generate-ssh-keys \
  --public-ip-sku Standard

Then open port 80:

az vm open-port --resource-group <your-rg> --name seeddms --port 80

Step 3 - Confirm the services are running

SSH in as azureuser and confirm nginx, PHP FPM, MariaDB and the first boot service are all active. Note that MariaDB listens only on 127.0.0.1:3306 while nginx serves SeedDMS on port 80.

systemctl is-active nginx php8.3-fpm mariadb seeddms-firstboot
ss -tlnp | grep -E ':80 |:3306 ' | sed 's/  */ /g'

The nginx, php8.3-fpm, mariadb and seeddms-firstboot services active, with nginx on port 80 and MariaDB bound to loopback 127.0.0.1:3306

Step 4 - Retrieve the per VM administrator password

Every VM generates its own SeedDMS administrator password on first boot and writes it, along with the login user and the application URL, to a root only credentials file. Read it with sudo:

sudo cat /root/seeddms-credentials.txt

The per VM SeedDMS credentials file, showing the admin login user, the generated password masked, the application URL and the loopback MariaDB details

You sign in to SeedDMS as user admin with the SEEDDMS_ADMIN_PASSWORD from this file. On the box itself you can also run sudo mariadb to reach the database directly over the local socket without a password.

Step 5 - Sign in

Browse to http://<vm-public-ip>/. You land on the SeedDMS sign in page. Enter user ID admin and the password from Step 4.

The SeedDMS sign in page showing the user ID and password fields, the language and theme selectors and the Sign in button

After signing in you land on the DMS root folder view, which shows the folder tree on the left, folder information in the centre and a drag and drop fast upload panel on the right.

The SeedDMS root folder view after signing in, with the DMS folder tree, the Folder Information panel and the Fast upload drop zone

Step 6 - Add folders and documents

From any folder use Add subfolder to build out your folder structure, then Add document to upload a file. Each document you add can carry a name, comment, keywords, categories, an expiry date and a sequence position, and every subsequent upload to the same document is kept as a new version with the full history preserved.

The SeedDMS Add Document form showing the name, comment, keywords, categories and file upload fields

Step 7 - Manage users and access

Open Admin tools then User management to create users and groups and assign them roles. Combine users and groups with per folder and per document access control lists to control exactly who can read, write, review or approve each part of your document tree. This is also where you rotate the administrator's own password from the web interface.

The SeedDMS user management admin view listing users with their roles and the controls to add and edit users

Step 8 - No known or default credentials

SeedDMS ships upstream with a well known admin / admin account. The cloudimg image never ships it: the administrator password is rotated to a discarded random value at build time, and the real per VM administrator password is generated with a unique random secret on the first boot of every VM. You can prove both facts on the box. The user table holds only the admin and disabled guest rows, the well known default password hash is absent, and the built in round trip check confirms the per VM administrator signs in through the SeedDMS login form:

sudo mariadb -N -B seeddms -e "SELECT id,login,role FROM tblUsers ORDER BY id;"
sudo mariadb -N -B seeddms -e "SELECT count(*) AS default_admin_present FROM tblUsers WHERE login='admin' AND pwd='21232f297a57a5a743894a0e4a801fc3';"
sudo bash /usr/local/sbin/seeddms-cred-roundtrip.sh

The admin and guest rows in the SeedDMS user table, the default admin password hash count returning zero, and the round trip check confirming the per VM admin authenticates via the SeedDMS login form

Step 9 - Verify the stack and where your data lives

Confirm the health endpoint, the installed schema version and where your document content lives. The web root at /var/www/seeddms/www holds only application code, the configuration file sits outside the web root at /var/www/seeddms/conf/settings.xml, and all uploaded document content is stored under /var/lib/seeddms/data, kept separate from both the web root and the code so it is never web reachable and survives an application upgrade:

curl -sI http://127.0.0.1/healthz | head -1
sudo mariadb -N -B seeddms -e "SELECT concat('SeedDMS schema ',major,'.',minor,'.',subminor) FROM tblVersion;"
ls -ld /var/www/seeddms/www /var/www/seeddms/conf /var/lib/seeddms/data

The healthz endpoint returning 200, the SeedDMS schema version 6.0.0, and the web root, configuration and document content directories

Adding your own domain and TLS

The appliance serves plain HTTP on port 80. For production, point a DNS record at your VM and obtain a certificate with Let's Encrypt:

sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d <your-domain>

SeedDMS derives its base URL from the request Host header, so once you reach the VM on your domain over HTTPS the links render correctly with no further change.

Backing up

Your document data is the SeedDMS database plus the document content directory. Dump the database and archive the content tree:

sudo mysqldump seeddms > /tmp/seeddms-backup.sql
sudo tar czf /tmp/seeddms-content-backup.tar.gz -C /var/lib/seeddms data

Copy both files off the VM on your usual schedule. To restore, load the SQL dump into the seeddms database and unpack the archive back to /var/lib/seeddms/data.

Security notes

  • SeedDMS serves plain HTTP on port 80 out of the box. For anything beyond a trusted network, add your own domain and TLS as above, or front the VM with Azure Application Gateway.
  • The bundled MariaDB listens on 127.0.0.1 only and is never reachable from the network. Administer it through SeedDMS or over SSH with sudo mariadb.
  • The administrator password is unique per VM and no known or blank credential authenticates. Keep /root/seeddms-credentials.txt protected. To rotate the password, sign in and change it under Admin tools then User management, or from the box set a new one directly:
sudo mariadb seeddms -e "UPDATE tblUsers SET pwd=MD5('<new-password>') WHERE login='admin'"
  • The configuration file and document content live outside the web root, and nginx denies /inc, /utils, /doc, /install and dotfiles, so code, configuration and uploaded files are never web reachable.
  • Apply operating system updates regularly with sudo apt update && sudo apt upgrade; unattended security updates are enabled by default.