Collabora Code as application container not working

Incus
1

Hi all! I’m trying to run Collabora Code as an application container in Incus, but I’m facing a problem: it doesn’t seem to respond to any request.

In the official documentation the minimal command line to start a new container looks like this:

docker run -t -d -p 127.0.0.1:9980:9980 collabora/code

And in Incus I’m creating and configuring the container like this:

incus launch docker:collabora/code:latest collabora-container \
-c environment.username='admin' \
-c environment.password='super-strong-password' \
-c environment.aliasgroup1='https://nextcloud.mydomain:443,https://nextcloud\\.mydomain:443' \
-c environment.dictionaries='ca_ES en_GB en_US es_ES' \
-c environment.extra_params='--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning \
-c security.privileged=true

Then, from the reverse proxy I try to access it with:

curl http://10.139.48.13:9980

And I see this errors on the container logs:

$ incus console --show-log collabora-container | grep ERR
wsd-00021-00021 2025-07-26 21:17:00.960890 +0000 [ coolwsd ] ERR  enterMountingNS, unshare failed: Permission denied| common/JailUtil.cpp:70
wsd-00021-00021 2025-07-26 21:17:00.960941 +0000 [ coolwsd ] ERR  creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272
wsd-00021-00021 2025-07-26 21:17:00.965709 +0000 [ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-695c43ee/cool_test_mount]| common/JailUtil.cpp:157
wsd-00021-00021 2025-07-26 21:17:00.965778 +0000 [ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454
frk-00040-00040 2025-07-26 21:17:01.953742 +0000 [ coolforkit-caps ] ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00040-00040 2025-07-26 21:17:01.953761 +0000 [ coolforkit-caps ] ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00040-00040 2025-07-26 21:17:01.953766 +0000 [ coolforkit-caps ] ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:251

So, was anybody able to run Collabora Code as an application container in Incus?

Thanks!

2

Why did you use -c security.privileged=true?

Privileged containers are quite dangerous and so get more restrictive security policies (AppArmor/Seccomp/Cgroups) that unprivileged ones, which may be causing some of the failures in that log.

3

Because I was trying to adapt the Docker command with the recommended options from the documentation:

  • --privileged starts the container with rights required for faster jail creation via bind mount.

Anyway, I’ve now tried with an unprivileged container:

incus launch docker:collabora/code:latest collabora-container \
-c environment.username='admin' \
-c environment.password='super-strong-password' \
-c environment.aliasgroup1='https://nextcloud.mydomain:443,https://nextcloud\\.mydomain:443' \
-c environment.dictionaries='ca_ES en_GB en_US es_ES' \
-c environment.extra_params='--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning

And I’m getting more or less the same errors:

$ incus console --show-log collabora-container | grep ERR
wsd-00021-00021 2025-07-27 09:10:30.429805 +0000 [ coolwsd ] ERR  enterMountingNS, unshare failed: Permission denied| common/JailUtil.cpp:70
wsd-00021-00021 2025-07-27 09:10:30.429850 +0000 [ coolwsd ] ERR  creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272
wsd-00021-00021 2025-07-27 09:10:30.437784 +0000 [ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-f95d514e/cool_test_mount]| common/JailUtil.cpp:157
wsd-00021-00021 2025-07-27 09:10:30.437828 +0000 [ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454
frk-00042-00042 2025-07-27 09:10:31.431473 +0000 [ coolforkit-caps ] ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00042-00042 2025-07-27 09:10:31.431487 +0000 [ coolforkit-caps ] ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00042-00042 2025-07-27 09:10:31.431492 +0000 [ coolforkit-caps ] ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:251

And I still can’t seem to be enable to connect to the port from the Incus host:

curl http://10.139.48.13:9980
4

Now that I’m thinking about it, those errors don’t seem to be fatal and the service seems to be up and running:

$ incus console --show-log collabora-container
wsd-00021-00021 2025-07-27 09:35:48.084585 +0000 [ coolwsd ] INF  Initializing wsd. Local time: Sun 2025-07-27 09:35:48 +0000. Log level is [8]| common/Log.cpp:625
wsd-00021-00021 2025-07-27 09:35:48.084610 +0000 [ coolwsd ] INF  Setting log-level to [trace] and delaying setting to [warning] until after WSD initialization.| wsd/COOLWSD.cpp:1527
wsd-00021-00021 2025-07-27 09:35:48.084816 +0000 [ coolwsd ] INF  Initializing coolwsd 25.04.4.1 server []. Experimental features are disabled.| wsd/COOLWSD.cpp:1540
wsd-00021-00021 2025-07-27 09:35:48.087072 +0000 [ coolwsd ] INF  Loaded config file [/etc/coolwsd/coolwsd.xml] (non-default values):
        admin_console.password: <redacted>
        admin_console.username: <redacted>
        cache_files.expiry_min: 1000
        cache_files.path: /opt/cool/cache
        indirection_endpoint.geolocation_setup.allowed_websocket_origins:
        logging.anonymize.anonymize_user_data: false
        logging.color: false
        logging_ui_cmd.merge_display_end_time: true
        ssl.ca_file_path: /tmp/ssl/certs/ca/root.crt.pem
        ssl.cert_file_path: /tmp/ssl/certs/servers/localhost/cert.pem
        ssl.enable: false
        ssl.key_file_path: /tmp/ssl/certs/servers/localhost/privkey.pem
        ssl.termination: true
        storage.ssl.enable:
| wsd/COOLWSD.cpp:1549
wsd-00021-00021 2025-07-27 09:35:48.087099 +0000 [ coolwsd ] INF  Anonymization of user-data is configurable.| wsd/COOLWSD.cpp:1618
wsd-00021-00021 2025-07-27 09:35:48.088502 +0000 [ coolwsd ] INF  Anonymization of user-data is disabled.| wsd/COOLWSD.cpp:1665
wsd-00021-00021 2025-07-27 09:35:48.088519 +0000 [ coolwsd ] INF  SSL support: SSL is disabled.| wsd/COOLWSD.cpp:1712
wsd-00021-00021 2025-07-27 09:35:48.088521 +0000 [ coolwsd ] INF  SSL support: termination is enabled.| wsd/COOLWSD.cpp:1713
wsd-00021-00021 2025-07-27 09:35:48.088900 +0000 [ coolwsd ] DBG  Setting envar PDFIMPORT_RESOLUTION_DPI=96 per config per_document.pdf_resolution_dpi| wsd/COOLWSD.cpp:1740
wsd-00021-00021 2025-07-27 09:35:48.088936 +0000 [ coolwsd ] DBG  Normalizing childroot: /opt/cool/child-roots/21-47d55f5d/| wsd/COOLWSD.cpp:1782
wsd-00021-00021 2025-07-27 09:35:48.088943 +0000 [ coolwsd ] DBG  Childroot: /opt/cool/child-roots/21-47d55f5d/| wsd/COOLWSD.cpp:1784
wsd-00021-00021 2025-07-27 09:35:48.090675 +0000 [ coolwsd ] INF  Creating childroot: [/opt/cool/child-roots/21-47d55f5d/] with mount-namespaces| wsd/COOLWSD.cpp:1842
wsd-00021-00021 2025-07-27 09:35:48.091594 +0000 [ coolwsd ] DBG  Move into user namespace as uid 0| wsd/COOLWSD.cpp:1268
wsd-00021-00021 2025-07-27 09:35:48.091842 +0000 [ coolwsd ] ERR  enterMountingNS, unshare failed: Permission denied| common/JailUtil.cpp:70
wsd-00021-00021 2025-07-27 09:35:48.091903 +0000 [ coolwsd ] ERR  creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272
wsd-00021-00021 2025-07-27 09:35:48.091942 +0000 [ coolwsd ] INF  Cleaning up childroot directory [/opt/cool/child-roots/].| common/JailUtil.cpp:336
wsd-00021-00021 2025-07-27 09:35:48.092292 +0000 [ coolwsd ] DBG  Removing [/opt/cool/child-roots/tmp] recursively.| common/FileUtil-unix.cpp:116
wsd-00021-00021 2025-07-27 09:35:48.092688 +0000 [ coolwsd ] DBG  Removing [/opt/cool/child-roots/linkable] recursively.| common/FileUtil-unix.cpp:116
wsd-00021-00021 2025-07-27 09:35:48.092703 +0000 [ coolwsd ] DBG  Unmounting [/opt/cool/child-roots/]| common/JailUtil.cpp:192
wsd-00021-00021 2025-07-27 09:35:48.092722 +0000 [ coolwsd ] TRC  Executing coolmount command: /usr/bin/coolmount -u -s /opt/cool/child-roots| common/JailUtil.cpp:143
wsd-00021-00021 2025-07-27 09:35:48.097479 +0000 [ coolwsd ] DBG  Failed to unmount [/opt/cool/child-roots/]| common/JailUtil.cpp:205
wsd-00021-00021 2025-07-27 09:35:48.097502 +0000 [ coolwsd ] DBG  Removing empty directories at [/opt/cool/child-roots/] recursively| common/FileUtil-unix.cpp:160
wsd-00021-00021 2025-07-27 09:35:48.097581 +0000 [ coolwsd ] INF  Cleaning up childroot directory [/opt/cool/child-roots/21-47d55f5d/].| common/JailUtil.cpp:336
wsd-00021-00021 2025-07-27 09:35:48.097605 +0000 [ coolwsd ] TRC  Directory [/opt/cool/child-roots/21-47d55f5d/] is not a jail directory or doesn't exist.| common/JailUtil.cpp:341
wsd-00021-00021 2025-07-27 09:35:48.097617 +0000 [ coolwsd ] INF  Creating jail path (if missing): /opt/cool/child-roots/21-47d55f5d//tmp/incoming/fonts| common/JailUtil.cpp:419
wsd-00021-00021 2025-07-27 09:35:48.097777 +0000 [ coolwsd ] INF  Creating jail path (if missing): /opt/cool/child-roots/21-47d55f5d//tmp/sharedpresets| common/JailUtil.cpp:419
/usr/bin/coolmount: mount failed to bind [/opt/cool/systemplate] to [/opt/cool/child-roots/21-47d55f5d/cool_test_mount]: Operation not permitted.
wsd-00021-00021 2025-07-27 09:35:48.097824 +0000 [ coolwsd ] DBG  Mounting [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-47d55f5d/cool_test_mount]| common/JailUtil.cpp:149
wsd-00021-00021 2025-07-27 09:35:48.097859 +0000 [ coolwsd ] TRC  Executing coolmount command: /usr/bin/coolmount -b /opt/cool/systemplate /opt/cool/child-roots/21-47d55f5d/cool_test_mount| common/JailUtil.cpp:143
wsd-00021-00021 2025-07-27 09:35:48.100507 +0000 [ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-47d55f5d/cool_test_mount]| common/JailUtil.cpp:157
wsd-00021-00021 2025-07-27 09:35:48.100547 +0000 [ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454
wsd-00021-00021 2025-07-27 09:35:48.100845 +0000 [ coolwsd ] DBG  setupChildRoot status: 0| wsd/COOLWSD.cpp:1310
wsd-00021-00021 2025-07-27 09:35:48.100887 +0000 [ coolwsd ] INF  Using Bind Mounting: false| wsd/COOLWSD.cpp:1312
wsd-00021-00021 2025-07-27 09:35:48.100891 +0000 [ coolwsd ] INF  Using Mount Namespaces: false| wsd/COOLWSD.cpp:1314
wsd-00021-00021 2025-07-27 09:35:48.100894 +0000 [ coolwsd ] DBG  FileServerRoot before config: | wsd/COOLWSD.cpp:1846
wsd-00021-00021 2025-07-27 09:35:48.100921 +0000 [ coolwsd ] DBG  FileServerRoot after config: /usr/share/coolwsd| wsd/COOLWSD.cpp:1848
wsd-00021-00021 2025-07-27 09:35:48.100974 +0000 [ coolwsd ] INF  Quarantine is disabled in config| wsd/COOLWSD.cpp:1875
wsd-00021-00021 2025-07-27 09:35:48.100978 +0000 [ coolwsd ] INF  Cache path is set to [/opt/cool/cache] in config| wsd/COOLWSD.cpp:1881
wsd-00021-00021 2025-07-27 09:35:48.100985 +0000 [ coolwsd ] TRC  Creating cache directory [/opt/cool/cache]| wsd/COOLWSD.cpp:1891
wsd-00021-00021 2025-07-27 09:35:48.101007 +0000 [ coolwsd ] DBG  Created cache directory [/opt/cool/cache]| wsd/COOLWSD.cpp:1894
wsd-00021-00021 2025-07-27 09:35:48.101175 +0000 [ coolwsd ] INF  Initializing Cache at [/opt/cool/cache]| wsd/CacheUtil.cpp:41
wsd-00021-00021 2025-07-27 09:35:48.101233 +0000 [ coolwsd ] INF  NumPreSpawnedChildren set to 4.| wsd/COOLWSD.cpp:1912
wsd-00021-00021 2025-07-27 09:35:48.101247 +0000 [ coolwsd ] INF  Registering filesystem for space checks: [/opt/cool/child-roots/21-47d55f5d/.]| common/FileUtil.cpp:343
wsd-00021-00021 2025-07-27 09:35:48.102684 +0000 [ coolwsd ] INF  MAX_CONCURRENCY set to 4.| wsd/COOLWSD.cpp:1936
wsd-00021-00021 2025-07-27 09:35:48.102714 +0000 [ coolwsd ] INF  DISABLE_REDLINE set| wsd/COOLWSD.cpp:1958
wsd-00021-00021 2025-07-27 09:35:48.102731 +0000 [ coolwsd ] DBG  net::Defaults: Socket[inactivityTimeout 3600000000us, maxExtConnections 200000]| wsd/COOLWSD.cpp:1991
wsd-00021-00021 2025-07-27 09:35:48.102768 +0000 [ coolwsd ] INF  Maximum file descriptor supported by the system: 1048575| wsd/COOLWSD.cpp:2102
wsd-00021-00021 2025-07-27 09:35:48.102770 +0000 [ coolwsd ] INF  Maximum number of open documents supported by the system: 262136| wsd/COOLWSD.cpp:2105
wsd-00021-00021 2025-07-27 09:35:48.102780 +0000 [ coolwsd ] INF  Maximum concurrent open Documents limit: 1000000| wsd/COOLWSD.cpp:2108
wsd-00021-00021 2025-07-27 09:35:48.102783 +0000 [ coolwsd ] INF  Maximum concurrent client Connections limit: 1000000| wsd/COOLWSD.cpp:2109
wsd-00021-00021 2025-07-27 09:35:48.102790 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102793 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102808 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [127\.0\.0\.1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102813 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:127\.0\.0\.1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102816 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102819 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102829 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102833 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102836 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102841 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102857 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102861 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102864 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102867 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [localhost]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102887 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102891 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102893 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [127\.0\.0\.1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102896 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:127\.0\.0\.1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102918 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::1]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102922 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102925 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102928 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102938 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102942 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102945 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102948 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102958 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:231
wsd-00021-00021 2025-07-27 09:35:48.102969 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [nextcloud.mydomain]| wsd/COOLWSD.cpp:296
wsd-00021-00021 2025-07-27 09:35:48.102972 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW alias: [nextcloud\\.mydomain]| wsd/COOLWSD.cpp:313
wsd-00021-00021 2025-07-27 09:35:48.106255 +0000 [ coolwsd ] TRC  Initialize FileServerRequestHandler| wsd/COOLWSD.cpp:2174
wsd-00021-00021 2025-07-27 09:35:48.106287 +0000 [ coolwsd ] DBG  Caching files in [/usr/share/coolwsd/browser/dist]| wsd/FileServer.cpp:1212
wsd-00021-00021 2025-07-27 09:35:48.106785 +0000 [ coolwsd ] DBG  Caching files in [/usr/share/coolwsd/browser/dist/nextcloud]| wsd/FileServer.cpp:1212
wsd-00021-00021 2025-07-27 09:35:48.107944 +0000 [ coolwsd ] DBG  Caching files in [/usr/share/coolwsd/browser/dist/nextcloud/images]| wsd/FileServer.cpp:1212
wsd-00021-00021 2025-07-27 09:35:48.120468 +0000 [ coolwsd ] DBG  Caching files in [/usr/share/coolwsd/browser/dist/nextcloud/images/es]| wsd/FileServer.cpp:1212
...

Could the problem be that the service is listening only on 127.0.0.1 then @stgraber ?
Is there any equivalent way of doing what they do with -p 127.0.0.1:9980:9980 in Incus?

5

Well, there seems to be another thing going on. I’ve now tried this:

incus launch docker:collabora/code:latest collabora-container

Then:

incus exec collabora-container -- su

And then:

root@collabora-container:/opt/cool# curl -k -vvv https://localhost:9980
*   Trying 127.0.0.1:9980...
* Connected to localhost (127.0.0.1) port 9980 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

And it gets stuck there… :thinking:

6

Try setting security.nesting=true that should help with the namespace errors.

7

This is what I did now:

incus launch docker:collabora/code:latest collabora-container -c security.nesting=true

Then tried to connect from inside the container with the same result:

$ incus exec collabora-container -- su
root@collabora-container:/opt/cool# curl -k -vv https://localhost:9980
*   Trying 127.0.0.1:9980...
* Connected to localhost (127.0.0.1) port 9980 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

And the logs show the same errors:

$ incus console --show-log collabora-container | grep ERR
wsd-00021-00021 2025-07-27 20:32:07.773271 +0000 [ coolwsd ] ERR  enterMountingNS, unshare failed: Permission denied| common/JailUtil.cpp:70
wsd-00021-00021 2025-07-27 20:32:07.773311 +0000 [ coolwsd ] ERR  creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272
wsd-00021-00021 2025-07-27 20:32:07.776538 +0000 [ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/21-bdd1d702/cool_test_mount]| common/JailUtil.cpp:157
wsd-00021-00021 2025-07-27 20:32:07.776567 +0000 [ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454
frk-00040-00040 2025-07-27 20:32:08.767467 +0000 [ coolforkit-caps ] ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00040-00040 2025-07-27 20:32:08.767486 +0000 [ coolforkit-caps ] ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:251
frk-00040-00040 2025-07-27 20:32:08.767499 +0000 [ coolforkit-caps ] ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:251