Collabora-CODE docker + Frewalld on CentOS

Hey Guys!

I’ve 2 servers. One is called cloud.mycompany.hu and this contains my nextcloud installation. Works like a charm.

The other server is purely for running the collabora server from docker. This is called ds.mycompany.hu. I’ve installed it according to the installation guide. However, When I try to open a document file in nextcloud I get an internal server error. The document server has CentOS 7 installed and the docker starts up correctly. However, I’ve noticed something strange in my firewalld. The following appears in the systemctl status after starting my docker:

[root@document-server ~]# systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2017-10-03 09:40:18 CEST; 37s ago
Docs: man:firewalld(1)
Main PID: 4758 (firewalld)
Memory: 27.5M
CGroup: /system.slice/firewalld.service
└─4758 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Oct 03 09:40:20 document-server firewalld[4758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed: iptables: No chain/target/match by that name.
Oct 03 09:40:20 document-server firewalld[4758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Oct 03 09:40:20 document-server firewalld[4758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Oct 03 09:40:20 document-server firewalld[4758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Oct 03 09:40:20 document-server firewalld[4758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Oct 03 09:40:20 document-server firewalld[4758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Oct 03 09:40:20 document-server firewalld[4758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Oct 03 09:40:20 document-server firewalld[4758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8' failed: iptables: No chain/target/match by that name.
Oct 03 09:40:20 document-server firewalld[4758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed: iptables: No chain/target/match by that name.
Oct 03 09:40:20 document-server firewalld[4758]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.

What can this cause the issue? When I try to enter my ds.mycompany.hu/hosting/discovery URL, I get a 502 bad gateway error message told by NginX. Could it be that because of the bad firewall setting, NginX is unable to handle the PHP requests?

I start docker with the following command:
docker run -t -d -p 127.0.0.1:9980:9980 -e 'cloud\\.mycompany\\.hu' --restart always --cap-add MKNOD collabora/code

The NginX config on the document-server is the exact same as it is in the example, except for the server_name and the SSL cert files.

NginX here logs the following: (please note, I’ve removed sensitive information

2017/10/03 09:32:57 [crit] 4241#4241: *7 connect() to [::1]:9980 failed (13: Permission denied) while connecting to upstream, client: 10.0.0.XXX, server: ds.mycompany.hu, request: “GET /hosting/discovery HTTP/1.1”, upstream: “https://[::1]:9980/hosting/discovery”, host: “ds.mycompany.hu”
2017/10/03 09:32:57 [warn] 4241#4241: *7 upstream server temporarily disabled while connecting to upstream, client: 10.0.0.XXX, server: ds.mycompany.hu, request: “GET /hosting/discovery HTTP/1.1”, upstream: “https://[::1]:9980/hosting/discovery”, host: “ds.mycompany.hu”
2017/10/03 09:32:57 [crit] 4241#4241: *7 connect() to 127.0.0.1:9980 failed (13: Permission denied) while connecting to upstream, client: 10.0.0.XXX, server: ds.mycompany.hu, request: “GET /hosting/discovery HTTP/1.1”, upstream: “https://127.0.0.1:9980/hosting/discovery”, host: “ds.mycompany.hu”
2017/10/03 09:32:57 [warn] 4241#4241: *7 upstream server temporarily disabled while connecting to upstream, client: 10.0.0.XXX, server: ds.mycompany.hu, request: “GET /hosting/discovery HTTP/1.1”, upstream: “https://127.0.0.1:9980/hosting/discovery”, host: “ds.mycompany.hu”

==> /var/log/nginx/access.log <==
10.0.0.233 - - [03/Oct/2017:09:32:57 +0200] “GET /hosting/discovery HTTP/1.1” 502 173 “-” “Nextcloud Server Crawler” “-”

Also my firewall setting on the document server:

[root@document-server ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http https
ports: 9980/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Do you have any idea where to check the problem?

UPDATE:
Oh wait? Do I have to install PHP separate on my document-server? Does the docker image contain it at all? If yes, what settings needs to be made in the PHP and what if I want to use PHP-FPM with a separate php-pool?

For information, I’ve also two servers, for about 150 users. On the Collabora server, I’ve the same warning messages and I can open documents from nextcloud without problems.

I’ve PHP (5.4 default) installed but I don’t think the docker image is using it.

Have you tried to disable SELinux or better to configure it ? In my case, I’ve set up it to “Permissive”.

GEEZUS! Forgot about selinux, I’ve disabled it and now at least I get the collabora interface (for the 1st time ever)

However, now I’ve the following error message:
Unauthorized WOPI host. Please try again later and report to your administrator if the issue persists.

What is this?

Do not use localhost. Try with this:

docker run -t -d -p 9980:9980 -e 'cloud\\.mycompany\\.hu' --restart always --cap-add MKNOD collabora/code

Same error. I’ve just noticed, there are specific rules for using my own SSL certificate. How do I have to modify the docker command in order to use my own SSL cert? I don’t know how to use DONT_GEN_SSL_CERT at the moment.

UPDATE:
Ok, I’ve managed to tell docker how to not generate any SSL Cert, but the same error is what I receive. Here is the docker logs:

wsd-00025-00033 09:27:33.036856 [ websrv_poll ] WRN WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:365
wsd-00025-00035 09:27:33.554018 [ docbroker_001 ] ERR Failed to add session to [cloud.mycompany.hu:443/apps/richdocuments/wopi/files/14_ocmhygzdaynl] with URI [https://cloud.mycompany.hu/apps/richdocuments/wopi/files/14_ocmhygzdaynl?access_token=HT5Wi2fav7mawrsjETwFKchzjx18Xtpg&access_token_ttl=0&permission=edit]: No acceptable WOPI hosts found matching the target host [cloud.mycompany.hu] in config.| wsd/DocumentBroker.cpp:835
wsd-00025-00035 09:27:33.554100 [ docbroker_001 ] ERR Unauthorized Request while loading session for cloud.mycompany.hu:443/apps/richdocuments/wopi/files/14_ocmhygzdaynl: No acceptable WOPI hosts found matching the target host [cloud.mycompany.hu] in config.| wsd/LOOLWSD.cpp:2167
wsd-00025-00035 09:27:33.651900 [ docbroker_001 ] WRN Attempted ping on non-upgraded websocket!| ./net/WebSocketHandler.hpp:285
wsd-00025-00035 09:27:33.652355 [ docbroker_001 ] WRN Child session [0011] not found to forward message: load url=https://cloud.mycompany.hu/apps/richdocuments/wopi/files/14_ocmhygzdaynl?access_token=HT5Wi2fav7mawrsjETwFKchzjx18Xtpg&access_token_ttl=0&permission=edit readonly=0 lang=en| wsd/DocumentBroker.cpp:1316
wsd-00025-00035 09:27:33.657388 [ docbroker_001 ] ERR Socket #20 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00025-00035 09:27:33.657477 [ docbroker_001 ] ERR Socket #20 SSL BIO error: error:140D00CF:SSL routines:SSL_write:protocol is shutdown (errno: Success)| ./net/SslSocket.hpp:273
wsd-00025-00035 09:27:33.657630 [ docbroker_001 ] WRN ToClient-0011: Exception while closing socket for docKey [cloud.mycompany.hu:443/apps/richdocuments/wopi/files/14_ocmhygzdaynl]: error:140D00CF:SSL routines:SSL_write:protocol is shutdown| wsd/ClientSession.cpp:855
wsd-00025-00026 09:27:34.555456 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_001], started: true, finished: true| ./net/Socket.hpp:507
wsd-00025-00026 09:27:34.555518 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_001], started: true, finished: true| ./net/Socket.hpp:507
wsd-00025-00026 09:27:34.555625 [ prisoner_poll ] WRN Prisoner connection disconnected but without valid socket.| wsd/LOOLWSD.cpp:1418
wsd-00025-00026 09:27:34.555695 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_001], started: false, finished: true| ./net/Socket.hpp:507
wsd-00025-00026 09:27:34.555726 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_001], started: false, finished: true| ./net/Socket.hpp:507

I’m pretty sure you’ll see more than I do.

Collabora CODE docker does not use/need PHP.

Yeah, I’ve noticed. The error is somewhere at starting the docker I think. I’m sure I’m missing something, but what?

This is wrong. Use: -e “domain=cloud\\.mycompany\\.hu”

Thanks, this solved the issue. I’ve also marked it as a solution. Now I can finally start writing the documentation for myself about how to install NextCloud and Collabora without any humps and puffs.

Thank you @timar and @DavidHr !!!

correct! I have not seen this error! Thanks