Collabora Code as application container not working

pachulo · July 26, 2025, 9:18pm

Hi all! I’m trying to run Collabora Code as an application container in Incus, but I’m facing a problem: it doesn’t seem to respond to any request.

In the official documentation the minimal command line to start a new container looks like this:

docker run -t -d -p 127.0.0.1:9980:9980 collabora/code

And in Incus I’m creating and configuring the container like this:

incus launch docker:collabora/code:latest collabora-container \
-c environment.username='admin' \
-c environment.password='super-strong-password' \
-c environment.aliasgroup1='https://nextcloud.mydomain:443,https://nextcloud\\.mydomain:443' \
-c environment.dictionaries='ca_ES en_GB en_US es_ES' \
-c environment.extra_params='--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning \
-c security.privileged=true

Then, from the reverse proxy I try to access it with:

curl http://10.139.48.13:9980

And I see this errors on the container logs:

$ incus console --show-log collabora-container | grep ERR
wsd-00021-00021 2025-07-26 21:17:00.960890 +0000 [ coolwsd ] ERR  enterMountingNS, unshare failed: Permission denied| common/JailUtil.cpp:70
wsd-00021-00021 2025-07-26 21:17:00.960941 +0000 [ coolwsd ] ERR  creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272
wsd-00021-00021 2025-07-26 21:17:00.965709 +0000 [ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-695c43ee/cool_test_mount]| common/JailUtil.cpp:157
wsd-00021-00021 2025-07-26 21:17:00.965778 +0000 [ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454
frk-00040-00040 2025-07-26 21:17:01.953742 +0000 [ coolforkit-caps ] ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00040-00040 2025-07-26 21:17:01.953761 +0000 [ coolforkit-caps ] ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00040-00040 2025-07-26 21:17:01.953766 +0000 [ coolforkit-caps ] ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:251

So, was anybody able to run Collabora Code as an application container in Incus?

Thanks!

stgraber · July 26, 2025, 11:06pm

Why did you use -c security.privileged=true?

Privileged containers are quite dangerous and so get more restrictive security policies (AppArmor/Seccomp/Cgroups) that unprivileged ones, which may be causing some of the failures in that log.

pachulo · July 27, 2025, 9:13am

Because I was trying to adapt the Docker command with the recommended options from the documentation:

--privileged starts the container with rights required for faster jail creation via bind mount.

Anyway, I’ve now tried with an unprivileged container:

incus launch docker:collabora/code:latest collabora-container \
-c environment.username='admin' \
-c environment.password='super-strong-password' \
-c environment.aliasgroup1='https://nextcloud.mydomain:443,https://nextcloud\\.mydomain:443' \
-c environment.dictionaries='ca_ES en_GB en_US es_ES' \
-c environment.extra_params='--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning

And I’m getting more or less the same errors:

$ incus console --show-log collabora-container | grep ERR
wsd-00021-00021 2025-07-27 09:10:30.429805 +0000 [ coolwsd ] ERR  enterMountingNS, unshare failed: Permission denied| common/JailUtil.cpp:70
wsd-00021-00021 2025-07-27 09:10:30.429850 +0000 [ coolwsd ] ERR  creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272
wsd-00021-00021 2025-07-27 09:10:30.437784 +0000 [ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-f95d514e/cool_test_mount]| common/JailUtil.cpp:157
wsd-00021-00021 2025-07-27 09:10:30.437828 +0000 [ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454
frk-00042-00042 2025-07-27 09:10:31.431473 +0000 [ coolforkit-caps ] ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00042-00042 2025-07-27 09:10:31.431487 +0000 [ coolforkit-caps ] ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00042-00042 2025-07-27 09:10:31.431492 +0000 [ coolforkit-caps ] ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:251

And I still can’t seem to be enable to connect to the port from the Incus host:

curl http://10.139.48.13:9980

pachulo · July 27, 2025, 9:41am

Now that I’m thinking about it, those errors don’t seem to be fatal and the service seems to be up and running:

$ incus console --show-log collabora-container
wsd-00021-00021 2025-07-27 09:35:48.084585 +0000 [ coolwsd ] INF  Initializing wsd. Local time: Sun 2025-07-27 09:35:48 +0000. Log level is [8]| common/Log.cpp:625
wsd-00021-00021 2025-07-27 09:35:48.084610 +0000 [ coolwsd ] INF  Setting log-level to [trace] and delaying setting to [warning] until after WSD initialization.| wsd/COOLWSD.cpp:1527
wsd-00021-00021 2025-07-27 09:35:48.084816 +0000 [ coolwsd ] INF  Initializing coolwsd 25.04.4.1 server []. Experimental features are disabled.| wsd/COOLWSD.cpp:1540
wsd-00021-00021 2025-07-27 09:35:48.087072 +0000 [ coolwsd ] INF  Loaded config file [/etc/coolwsd/coolwsd.xml] (non-default values):
        admin_console.password: <redacted>
        admin_console.username: <redacted>
        cache_files.expiry_min: 1000
        cache_files.path: /opt/cool/cache
        indirection_endpoint.geolocation_setup.allowed_websocket_origins:
        logging.anonymize.anonymize_user_data: false
        logging.color: false
        logging_ui_cmd.merge_display_end_time: true
        ssl.ca_file_path: /tmp/ssl/certs/ca/root.crt.pem
        ssl.cert_file_path: /tmp/ssl/certs/servers/localhost/cert.pem
        ssl.enable: false
        ssl.key_file_path: /tmp/ssl/certs/servers/localhost/privkey.pem
        ssl.termination: true
        storage.ssl.enable:
| wsd/COOLWSD.cpp:1549
wsd-00021-00021 2025-07-27 09:35:48.087099 +0000 [ coolwsd ] INF  Anonymization of user-data is configurable.| wsd/COOLWSD.cpp:1618
wsd-00021-00021 2025-07-27 09:35:48.088502 +0000 [ coolwsd ] INF  Anonymization of user-data is disabled.| wsd/COOLWSD.cpp:1665
wsd-00021-00021 2025-07-27 09:35:48.088519 +0000 [ coolwsd ] INF  SSL support: SSL is disabled.| wsd/COOLWSD.cpp:1712
wsd-00021-00021 2025-07-27 09:35:48.088521 +0000 [ coolwsd ] INF  SSL support: termination is enabled.| wsd/COOLWSD.cpp:1713
wsd-00021-00021 2025-07-27 09:35:48.088900 +0000 [ coolwsd ] DBG  Setting envar PDFIMPORT_RESOLUTION_DPI=96 per config per_document.pdf_resolution_dpi| wsd/COOLWSD.cpp:1740
wsd-00021-00021 2025-07-27 09:35:48.088936 +0000 [ coolwsd ] DBG  Normalizing childroot: /opt/cool/child-roots/21-47d55f5d/| wsd/COOLWSD.cpp:1782
wsd-00021-00021 2025-07-27 09:35:48.088943 +0000 [ coolwsd ] DBG  Childroot: /opt/cool/child-roots/21-47d55f5d/| wsd/COOLWSD.cpp:1784
wsd-00021-00021 2025-07-27 09:35:48.090675 +0000 [ coolwsd ] INF  Creating childroot: [/opt/cool/child-roots/21-47d55f5d/] with mount-namespaces| wsd/COOLWSD.cpp:1842
wsd-00021-00021 2025-07-27 09:35:48.091594 +0000 [ coolwsd ] DBG  Move into user namespace as uid 0| wsd/COOLWSD.cpp:1268
wsd-00021-00021 2025-07-27 09:35:48.091842 +0000 [ coolwsd ] ERR  enterMountingNS, unshare failed: Permission denied| common/JailUtil.cpp:70
wsd-00021-00021 2025-07-27 09:35:48.091903 +0000 [ coolwsd ] ERR  creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272
wsd-00021-00021 2025-07-27 09:35:48.091942 +0000 [ coolwsd ] INF  Cleaning up childroot directory [/opt/cool/child-roots/].| common/JailUtil.cpp:336
wsd-00021-00021 2025-07-27 09:35:48.092292 +0000 [ coolwsd ] DBG  Removing [/opt/cool/child-roots/tmp] recursively.| common/FileUtil-unix.cpp:116
wsd-00021-00021 2025-07-27 09:35:48.092688 +0000 [ coolwsd ] DBG  Removing [/opt/cool/child-roots/linkable] recursively.| common/FileUtil-unix.cpp:116
wsd-00021-00021 2025-07-27 09:35:48.092703 +0000 [ coolwsd ] DBG  Unmounting [/opt/cool/child-roots/]| common/JailUtil.cpp:192
wsd-00021-00021 2025-07-27 09:35:48.092722 +0000 [ coolwsd ] TRC  Executing coolmount command: /usr/bin/coolmount -u -s /opt/cool/child-roots| common/JailUtil.cpp:143
wsd-00021-00021 2025-07-27 09:35:48.097479 +0000 [ coolwsd ] DBG  Failed to unmount [/opt/cool/child-roots/]| common/JailUtil.cpp:205
wsd-00021-00021 2025-07-27 09:35:48.097502 +0000 [ coolwsd ] DBG  Removing empty directories at [/opt/cool/child-roots/] recursively| common/FileUtil-unix.cpp:160
wsd-00021-00021 2025-07-27 09:35:48.097581 +0000 [ coolwsd ] INF  Cleaning up childroot directory [/opt/cool/child-roots/21-47d55f5d/].| common/JailUtil.cpp:336
wsd-00021-00021 2025-07-27 09:35:48.097605 +0000 [ coolwsd ] TRC  Directory [/opt/cool/child-roots/21-47d55f5d/] is not a jail directory or doesn't exist.| common/JailUtil.cpp:341
wsd-00021-00021 2025-07-27 09:35:48.097617 +0000 [ coolwsd ] INF  Creating jail path (if missing): /opt/cool/child-roots/21-47d55f5d//tmp/incoming/fonts| common/JailUtil.cpp:419
wsd-00021-00021 2025-07-27 09:35:48.097777 +0000 [ coolwsd ] INF  Creating jail path (if missing): /opt/cool/child-roots/21-47d55f5d//tmp/sharedpresets| common/JailUtil.cpp:419
/usr/bin/coolmount: mount failed to bind [/opt/cool/systemplate] to [/opt/cool/child-roots/21-47d55f5d/cool_test_mount]: Operation not permitted.
wsd-00021-00021 2025-07-27 09:35:48.097824 +0000 [ coolwsd ] DBG  Mounting [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-47d55f5d/cool_test_mount]| common/JailUtil.cpp:149
wsd-00021-00021 2025-07-27 09:35:48.097859 +0000 [ coolwsd ] TRC  Executing coolmount command: /usr/bin/coolmount -b /opt/cool/systemplate /opt/cool/child-roots/21-47d55f5d/cool_test_mount| common/JailUtil.cpp:143
wsd-00021-00021 2025-07-27 09:35:48.100507 +0000 [ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-47d55f5d/cool_test_mount]| common/JailUtil.cpp:157
wsd-00021-00021 2025-07-27 09:35:48.100547 +0000 [ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454
wsd-00021-00021 2025-07-27 09:35:48.100845 +0000 [ coolwsd ] DBG  setupChildRoot status: 0| wsd/COOLWSD.cpp:1310
wsd-00021-00021 2025-07-27 09:35:48.100887 +0000 [ coolwsd ] INF  Using Bind Mounting: false| wsd/COOLWSD.cpp:1312
wsd-00021-00021 2025-07-27 09:35:48.100891 +0000 [ coolwsd ] INF  Using Mount Namespaces: false| wsd/COOLWSD.cpp:1314
wsd-00021-00021 2025-07-27 09:35:48.100894 +0000 [ coolwsd ] DBG  FileServerRoot before config: | wsd/COOLWSD.cpp:1846
wsd-00021-00021 2025-07-27 09:35:48.100921 +0000 [ coolwsd ] DBG  FileServerRoot after config: /usr/share/coolwsd| wsd/COOLWSD.cpp:1848
wsd-00021-00021 2025-07-27 09:35:48.100974 +0000 [ coolwsd ] INF  Quarantine is disabled in config| wsd/COOLWSD.cpp:1875
wsd-00021-00021 2025-07-27 09:35:48.100978 +0000 [ coolwsd ] INF  Cache path is set to [/opt/cool/cache] in config| wsd/COOLWSD.cpp:1881
wsd-00021-00021 2025-07-27 09:35:48.100985 +0000 [ coolwsd ] TRC  Creating cache directory [/opt/cool/cache]| wsd/COOLWSD.cpp:1891
wsd-00021-00021 2025-07-27 09:35:48.101007 +0000 [ coolwsd ] DBG  Created cache directory [/opt/cool/cache]| wsd/COOLWSD.cpp:1894
wsd-00021-00021 2025-07-27 09:35:48.101175 +0000 [ coolwsd ] INF  Initializing Cache at [/opt/cool/cache]| wsd/CacheUtil.cpp:41
wsd-00021-00021 2025-07-27 09:35:48.101233 +0000 [ coolwsd ] INF  NumPreSpawnedChildren set to 4.| wsd/COOLWSD.cpp:1912
wsd-00021-00021 2025-07-27 09:35:48.101247 +0000 [ coolwsd ] INF  Registering filesystem for space checks: [/opt/cool/child-roots/21-47d55f5d/.]| common/FileUtil.cpp:343
wsd-00021-00021 2025-07-27 09:35:48.102684 +0000 [ coolwsd ] INF  MAX_CONCURRENCY set to 4.| wsd/COOLWSD.cpp:1936
wsd-00021-00021 2025-07-27 09:35:48.102714 +0000 [ coolwsd ] INF  DISABLE_REDLINE set| wsd/COOLWSD.cpp:1958
wsd-00021-00021 2025-07-27 09:35:48.102731 +0000 [ coolwsd ] DBG  net::Defaults: Socket[inactivityTimeout 3600000000us, maxExtConnections 200000]| wsd/COOLWSD.cpp:1991
wsd-00021-00021 2025-07-27 09:35:48.102768 +0000 [ coolwsd ] INF  Maximum file descriptor supported by the system: 1048575| wsd/COOLWSD.cpp:2102
wsd-00021-00021 2025-07-27 09:35:48.102770 +0000 [ coolwsd ] INF  Maximum number of open documents supported by the system: 262136| wsd/COOLWSD.cpp:2105
wsd-00021-00021 2025-07-27 09:35:48.102780 +0000 [ coolwsd ] INF  Maximum concurrent open Documents limit: 1000000| wsd/COOLWSD.cpp:2108
wsd-00021-00021 2025-07-27 09:35:48.102783 +0000 [ coolwsd ] INF  Maximum concurrent client Connections limit: 1000000| wsd/COOLWSD.cpp:2109
wsd-00021-00021 2025-07-27 09:35:48.102790 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102793 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102808 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [127\.0\.0\.1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102813 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:127\.0\.0\.1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102816 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102819 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102829 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102833 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102836 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102841 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102857 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102861 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102864 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102867 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [localhost]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102887 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102891 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102893 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [127\.0\.0\.1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102896 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:127\.0\.0\.1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102918 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102922 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102925 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102928 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102938 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102942 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102945 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102948 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102958 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102969 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [nextcloud.mydomain]| wsd/COOLWSD.cpp:296
wsd-00021-00021 2025-07-27 09:35:48.102972 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW alias: [nextcloud\\.mydomain]| wsd/COOLWSD.cpp:313
wsd-00021-00021 2025-07-27 09:35:48.106255 +0000 [ coolwsd ] TRC  Initialize FileServerRequestHandler| wsd/COOLWSD.cpp:2174
wsd-00021-00021 2025-07-27 09:35:48.106287 +0000 [ coolwsd ] DBG  Caching files in [/usr/share/coolwsd/browser/dist]| wsd/FileServer.cpp:1212
wsd-00021-00021 2025-07-27 09:35:48.106785 +0000 [ coolwsd ] DBG  Caching files in [/usr/share/coolwsd/browser/dist/nextcloud]| wsd/FileServer.cpp:1212
wsd-00021-00021 2025-07-27 09:35:48.107944 +0000 [ coolwsd ] DBG  Caching files in [/usr/share/coolwsd/browser/dist/nextcloud/images]| wsd/FileServer.cpp:1212
wsd-00021-00021 2025-07-27 09:35:48.120468 +0000 [ coolwsd ] DBG  Caching files in [/usr/share/coolwsd/browser/dist/nextcloud/images/es]| wsd/FileServer.cpp:1212
...

Could the problem be that the service is listening only on 127.0.0.1 then @stgraber ?
Is there any equivalent way of doing what they do with -p 127.0.0.1:9980:9980 in Incus?

pachulo · July 27, 2025, 10:04am

Well, there seems to be another thing going on. I’ve now tried this:

incus launch docker:collabora/code:latest collabora-container

Then:

incus exec collabora-container -- su

And then:

root@collabora-container:/opt/cool# curl -k -vvv https://localhost:9980
*   Trying 127.0.0.1:9980...
* Connected to localhost (127.0.0.1) port 9980 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

And it gets stuck there…

stgraber · July 27, 2025, 4:39pm

Try setting security.nesting=true that should help with the namespace errors.

pachulo · July 27, 2025, 8:34pm

This is what I did now:

incus launch docker:collabora/code:latest collabora-container -c security.nesting=true

Then tried to connect from inside the container with the same result:

$ incus exec collabora-container -- su
root@collabora-container:/opt/cool# curl -k -vv https://localhost:9980
*   Trying 127.0.0.1:9980...
* Connected to localhost (127.0.0.1) port 9980 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

And the logs show the same errors:

$ incus console --show-log collabora-container | grep ERR
wsd-00021-00021 2025-07-27 20:32:07.773271 +0000 [ coolwsd ] ERR  enterMountingNS, unshare failed: Permission denied| common/JailUtil.cpp:70
wsd-00021-00021 2025-07-27 20:32:07.773311 +0000 [ coolwsd ] ERR  creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272
wsd-00021-00021 2025-07-27 20:32:07.776538 +0000 [ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-bdd1d702/cool_test_mount]| common/JailUtil.cpp:157
wsd-00021-00021 2025-07-27 20:32:07.776567 +0000 [ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454
frk-00040-00040 2025-07-27 20:32:08.767467 +0000 [ coolforkit-caps ] ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00040-00040 2025-07-27 20:32:08.767486 +0000 [ coolforkit-caps ] ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00040-00040 2025-07-27 20:32:08.767499 +0000 [ coolforkit-caps ] ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:251

pachulo · August 18, 2025, 10:37pm

I also opened a threat on the Collabora Online forum and they gave me some advice:

$ incus launch docker:collabora/code:latest collabora-container \
  --config security.nesting=true \
  --config security.syscalls.intercept.mknod=true \
  --config security.syscalls.intercept.mount=true \
  --config security.syscalls.intercept.setxattr=true \
  --config raw.lxc="lxc.cap.keep = sys_chroot chown fowner"

$ incus exec collabora-container -- curl -k -vvv https://localhost:9980
*   Trying 127.0.0.1:9980...
* Connected to localhost (127.0.0.1) port 9980 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

And I’m still seeing these errors on the log:

$ incus console --show-log collabora-container | grep ERR
wsd-00021-00021 2025-08-18 22:22:40.436294 +0000 [ coolwsd ] ERR  enterMountingNS, unshare failed: Permission denied| common/JailUtil.cpp:70
wsd-00021-00021 2025-08-18 22:22:40.436339 +0000 [ coolwsd ] ERR  creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272
wsd-00021-00021 2025-08-18 22:22:40.444385 +0000 [ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-a64d9fa7/cool_test_mount]| common/JailUtil.cpp:157
wsd-00021-00021 2025-08-18 22:22:40.444464 +0000 [ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454
frk-00042-00042 2025-08-18 22:22:41.463179 +0000 [ coolforkit-caps ] ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00042-00042 2025-08-18 22:22:41.463192 +0000 [ coolforkit-caps ] ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00042-00042 2025-08-18 22:22:41.463197 +0000 [ coolforkit-caps ] ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:251

@stgraber do you have any idea why I’m still seeing errors for capabilities not being set, even when using lxc.cap.keep?

P.S.
By the way, I’m trying this on an Oracle Cloud ARM64 instance, if that matters:

$ uname -a
Linux arm64-server 6.14.0-1011-oracle #11~24.04.1-Ubuntu SMP Mon Aug  4 18:41:59 UTC 2025 aarch64 aarch64 aarch64 GNU/Linux

pachulo · August 30, 2025, 12:41am

OK, I got somewhere. If I create the container like this:

incus launch docker:collabora/code:latest collabora-code-container \
-c environment.username='admin' \
-c environment.password='super-strong-password' \
-c environment.aliasgroup1='https://nextcloud.mydomain:443,https://nextcloud\\.mydomain:443' \
-c environment.dictionaries='ca_ES en_GB en_US es_ES' \
-c environment.extra_params='--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning --o:security.capabilities=false'

It works:

$ curl -k http://<collabora-code-container-IP>:9980
OK

A few things to note here:

The security.capabilities config is marked as deprecated in code’s config:

<security desc="Altering these defaults potentially opens you to significant risk">
...
  <!-- deprecated: If capabilities is 'false', coolwsd will assume mount_namespaces of 'true' to achieve
         this goal, only avoiding chroot for process isolation if linux namespaces are unavailable -->
    <capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">true</capabilities>
...

When running Collabora code with security.capabilities=false warnings and errors like these appear on the log:

[ kit_spare_003 ] WRN  Security warning: running without chroot jails is insecure.| kit/Kit.cpp:3686
[ coolforkit-ns ] ERR  Security: Running without the capability to enter a chroot jail is ill advised.| kit/ForKit.cpp:950

I’m still seeing some errors:

$ incus console --show-log collabora-code-container | grep ERR
...
[ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-392a228a/cool_test_mount]| common/JailUtil.cpp:157
[ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454
...

Regarding 1, I hope the option doesn’t dissapear.

Regarding 2, I would say that for my use-case this is an OK tradeoff, because we are only 2 people using the nextcloud instance and collabora code is running in a different server than nextcloud, but I guess that for other use-cases it might be dangerous.

Regarding 3, I think it is related to performance:


<mount_jail_tree desc="Controls whether the systemplate and lotemplate contents are mounted or not, which is much faster than the default of linking/copying each file." type="bool" default="true"></mount_jail_tree>

But I was wondering: is there anyway to allow an unprivileged container to perform bind-mounts @stgraber?