Collabora Docker capabilities problem

Hi

I installed everything on Debian 8/PHP 7 Docker 1.6 (tried also 1.12).
When I Start my docker instance I got the following errors, repeating every seconds:

wsd-00024-0024 0:00:01.008353 [ loolwsd ] WRN  Util::requestTermination: Exception: cannot terminate process
Generating RSA private key, 2048 bit long modulus
..........+++
...................................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
..............................+++
.....+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolwsd version details: 1.9.6 - 1.9.6
loolforkit version details: 1.9.6 - 1.9.6
frk-00032-0032 0:00:00.000920 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00032-0032 0:00:00.000974 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00032-0032 0:00:00.001007 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
wsd-00023-0023 0:00:01.008631 [ loolwsd ] WRN  Util::requestTermination: Exception: cannot terminate process
4 Likes

Hi,

same here. Updated the collabora container yesterday. Got the problem since then and the container doesn´t start anymore.

best

Can confirm, I am having the same issue with the latest pull. I am running the same stack as righter1983.

Generating RSA private key, 2048 bit long modulus
.+++
....................................................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
....+++
...........+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolwsd version details: 1.9.6 - 1.9.6
loolforkit version details: 1.9.6 - 1.9.6
frk-00033-0033 0:00:00.001055 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00033-0033 0:00:00.001342 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00033-0033 0:00:00.001670 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
wsd-00024-0024 0:00:01.010505 [ loolwsd ] WRN  Util::requestTermination: Exception: cannot terminate process

Same problem, with Debian 8, php 5.6, docker 1.12.3:

Generating RSA private key, 2048 bit long modulus
................................................................+++
..................................................................................................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
......+++
..+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolwsd version details: 1.9.6 - 1.9.6
loolforkit version details: 1.9.6 - 1.9.6
frk-00033-0033 0:00:00.000476 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00033-0033 0:00:00.000525 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00033-0033 0:00:00.000559 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
wsd-00024-0024 0:00:00.755185 [ loolwsd ] WRN  Util::requestTermination: Exception: cannot terminate process
Generating RSA private key, 2048 bit long modulus
.......................................................................................................................................................+++
..........+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
........................................................................................+++
..........................................................+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolwsd version details: 1.9.6 - 1.9.6
loolforkit version details: 1.9.6 - 1.9.6
frk-00032-0032 0:00:00.000436 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00032-0032 0:00:00.000464 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00032-0032 0:00:00.000490 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
wsd-00023-0023 0:00:00.757516 [ loolwsd ] WRN  Util::requestTermination: Exception: cannot terminate process

Then I ran the same image on my local desktop, with Archlinux but the same docker version (1.12.3), and no php installed, and it seems ok:

Generating RSA private key, 2048 bit long modulus
.+++
.............+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
...........................................................+++
.....+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolwsd version details: 1.9.6 - 1.9.6
loolforkit version details: 1.9.6 - 1.9.6
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.1", "ProductExtension": ".10.11", "BuildId": "7512f1e1867672c06d987a94edb07f0a7ea0fc1e" }

If it’s related to loolforkit, then it’s the LO version the cause of the error. On debian 8, LO is on 4.3.3-2 and on archlinux I have 5.2.2-2. I’m going to try with the jessie-backports version, which is 5.2.3-rc1-4.

I have upgraded libreoffice, but I still have the same error, and loolwsd and loolforkit are still in 1.9.6 version. And it’s the same libreoffice online on archlinux too, soo it maybe not a version problem.

Sorry, it must be to early in the morning. The loolwsd and loolforkit must be the docker image versions. It would be usefull to have the dockerfile of the collabora/code image, and also a fewer tags than latest.

Same here :frowning: You have a resolution to work around ?

@wisdom923 I don’t even know where to signal the problem. I tried to add a comment on docker hub and I’m waiting for an answer next week. I don’t think that the bugzilla of the documentfoundation is the right place for this, maybe I’m wrong.

Maybe it’s a kernel problem, something like this one.

which kernel are you using?

I ran into the same problem on debian wheezy. It seems that the docker storage driver AUFS and debian 8 do not fit together. [EDIT2] As this post is referenced often other systems seem have problems with theyr default storage driver as well.

The solition is to change the docker storage driver, e.g. to devicemapper. Under Debian 8 or 9 proceed as follows (as root user in this example):
[EDIT2] The “systemd” solution I initially posted still should work fine for anybody using it … but as always solutions change over time. @almereyda mentioned below that you can use a json config file (tested with docker ce 17_09 on debian 9) :

editor /etc/docker/daemon.json

That file should (at least) contain:

{
    "storage-driver": "devicemapper"
}

If you want to use another storage-driver or change more options for dockerd, at the end of this post there is another EDIT2 Block containing links to other storage driver options and the daemon.json file itself.

If you would want to get rid of all old containers, enter

docker system prune

and confirm that you will delete any and all old containers.

:scream: This will delete any and all old containers - which is why you have to consciously enter “y”. If you have more going on in docker please consider how to get your other containers running on the new storage location. You have been warned.

restart docker and your container

systemctl restart docker.service
docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=YOUR.CLOUD.COM’ --restart always --cap-add MKNOD collabora/code

This last command also starts a download of the collabora container.

Hope this helps others running into this problem.

Anyone who has a more complex docker setup and wants to adapt this solution should take a look here:

  1. Runtime options with Memory, CPUs, and GPUs | Docker Docs
  2. Docker storage drivers | Docker Docs
  3. https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file

[EDIT2] @almereyda “made me” revisit my solution. I do not disagree with your post. Two thoughts on that:

  1. Docker thankfully provides a userguide on how to choose the storage driver and configuration details for any . As the choice of the storage driver for docker might be a “moving target” as technology evolves, it is defenitely worth taking a look if my post is still up to date (see above)
    At the time of updating this article for the 2nd time (November 2017), Docker CE still would use aufs as per default on Debian and Ubuntu. The preference is noted as follows in the docker storagedriver/selectadriver article (Link 2. above):
    Docker CE on Debian aufs, devicemapper, overlay2 (Debian Stretch), overlay, vfs
    As far as I can see, besides “aufs”, “devicemapper” is still the preferred choice for all OS’es other than Debian and Ubuntu.
    So, in order to use collabora which should not store any persistent data I will stick with “devicemapper”, as this is still the “most preffered” way by docker standards besides aufs - which produces the problems leading to this post.
    If you have other use cases to consider ( = docker containers that need to persist data, like maybe nextcloud) feel free to use overlay2 storage driver instead - most likely you are correct about the simplicity of that driver :wink: .

  2. Dockerd has its own config in /etc/docker/daemon.json …
    Finally! - this means that the Systemd unit has not to be touched any more. Sooo…
    I test installed docker on a “virgin” Debian 9. Docker CE provides the option which makes the configuration much simpler. If you have special needs that should be configured take a look at (Link 3 above).

9 Likes

Yeah, I took the long route and installed the liquorix kernel for debian 8.

Switching to the lvm/devicemapper storage driver fixed the issue for me (Debian 8). Thanks!

I’m using SMP Debian 3.16.36-1+deb8u2

I’m going to try your solution, @GuZ

Thanks @GuZ your tip helped me solve the issue on Ubuntu 14.04

I stopped the clloabora dock by

docker ps (to get the id)
docker stop [id]
docker rm [id]

then changed /etc/default/docker

# Use DOCKER_OPTS to modify the daemon startup options.
DOCKER_OPTS="--storage-driver=devicemapper"

restarted docker
and started collabora again which downloaded a new image and is running perfect now

for big production sites it’s maybe worth do fix the aufs problem or to propperly configure devicemapper like described here: https://docs.docker.com/engine/userguide/storagedriver/device-mapper-driver/, for personal use about fix should be fine

1 Like

@Andreas_Fuchs it seems to be the better solution to edit
/etc/default/docker
but in debian the file contains this big disclaimer:

THIS FILE DOES NOT APPLY TO SYSTEMD
Please see the documentation for “systemd drop-ins”:
Runtime options with Memory, CPUs, and GPUs | Docker Docs

I am just reading through the drop-in section there to take a look into it. Maybe there is another solution in place there

Done reading - the recommenced solution by docker is be to use a drop in configuration file under
/etc/systemd/system/docker.service.d/
containing all configuration parameters that need change. The docker page contains good information on how to do that.
Still, using a custom docker.service unit is sufficient but an oversized solution knowing there is a better way… I’ll change my configuration and update the solution I initially posted.

1 Like

In newer Docker versions, you will want to adapt the configuration in /etc/docker/daemon.json. Additionally, devicemapper is hard to configure for production environments and preferably replaced by overlay2 for Debian Stretch hosts.

1 Like

Thx! fixed it! w000t

I am working with centos7 and I have the same error in docker, as I do so that docker can use the self-signed .crt and .key and I do not get the same error … help me please estimate.

Hey guys as far as I could trace this
if you are running collabora in docker or directly on a maschine that has its filesystem mounted as a nfs you can not use capabilities since they are not supported by NFS.
The fix is to disable the capabilities check by passing --o:security.capabilities=false to loolwsd