Collabora_Online.AppImage Not Executable Error '400 Bad Request'

TheRoarkster · June 28, 2025, 10:26am

I have Nextcloud installed in a Docker container with a nginx proxy running on an Rpi4 and Ubuntu 24.04. I’m getting a repeating error regarding Collabora’s app image not being executable. Here is the error:

`Client error: `GET https://MYIP.ddyns.com/custom_apps/richdocumentscode_arm64/proxy.php?req=/hosting/discovery` resulted in a `400 Bad Request` response: <html><body> <h1>Socket proxy error</h1> <p>Error:  appimage_not_executable</p> </body></html>

It appears to be saying the the Collabora app image is not executable. But an ls -la of /var/www/html/custom_apps/richdocumentscode_arm64/collabora/Collabora_Online.AppImage yields:
-rwxr--r-- 1 www-data www-data 250003840 Jun 5 12:15 Collabora_Online.AppImage.

So it is executable by www-data, but not by the group and not by others.

I have tried to just manually chmod the file to 755, so that both group and others can execute, both inside the nextcloud-app and on my Rpi4 host:
Rpi4
chmod +x ~/nextcloud/data/custom_apps/richdocumentscode_arm64/collabora/Collabora_Online.AppImage
and
nextcloud-app container
docker exec -it nextcloud-app bash
chmod +x /var/www/html/custom_apps/richdocumentscode_arm64/collabora/Collabora_Online.AppImage

This change “works” for a few minutes, i.e., the AppImage becomes executable and the error desists. But the change does not persist, and the error returns.

Does anyone have a fix for this? Basic setup information below. Thanks!

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 31.0.6.2
Operating system and version (e.g., Ubuntu 24.04):
- Ubunt 24.04
Web server and version (e.g, Apache 2.4.25):
- Apache/2.4.62
Reverse proxy and version _(e.g. nginx 1.27.2)
- 1.27.5
PHP version (e.g, 8.3):
- PHP/8.3.22
Is this the first time you’ve seen this error? (Yes / No):
- No
When did this problem seem to first start?
- weeks
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- nextcloud-app docker
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- No

Log entries

Nextcloud log

[see above: that error just repeats]

Configuration

Nextcloud

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "overwritehost": "MYIP.ddyns.com",
        "overwriteprotocol": "https",
        "upgrade.disable-web": true,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "192.168.0.88",
            "rpi4.lan",
            "MYIP.ddyns.com",
            "nextcloud-app",
            "172.18.0.5"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.6.2",
        "overwrite.cli.url": "https:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "US",
        "default_timezone": "America\/Los_Angeles",
        "maintenance_window_start": 1,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpsecure": "tls",
        "mail_smtpauth": true,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode_allowlist": [
            "protonmail-bridge",
            "127.0.0.1",
            "in-v3.mailjet.com"
        ],
        "mail_imapmode_allowlist": [
            "protonmail-bridge",
            "127.0.0.1"
        ],
        "maintenance": false,
        "default_locale": "en_US",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "memories.db.triggers.fcu": true,
        "memories.exiftool": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/exiftool-aarch64-glibc",
        "memories.vod.path": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/go-vod-aarch64",
        "enabledPreviewProviders": [
            "OC\\Preview\\Image",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\Movie",
            "OC\\Preview\\TIFF",
            "OC\\Preview\\FFmpeg"
        ],
        "preview_max_x": 2048,
        "preview_max_y": 2048,
        "app_install_overwrite": [],
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "loglevel": 2,
        "signaling": {
            "servers": [
                {
                    "server": "https:\/\/MYIP.ddyns.com",
                    "verify": true,
                    "secret": "7b635fe28882c631f053fa30421731024612337de1874d7acfa4196111e0a4da"
                }
            ]
        }
    }
}

Apps

Enabled:
  - activity: 4.0.0
  - admin_audit: 1.21.0
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - calendar: 5.3.2
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.1.3
  - dashboard: 7.11.0
  - dav: 1.33.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_accesscontrol: 2.0.0
  - files_automatedtagging: 2.0.0
  - files_downloadlimit: 4.0.0
  - files_external: 1.23.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - groupfolders: 19.1.0
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - mail: 5.1.3
  - memories: 7.5.2
  - nextcloud_announcements: 3.0.0
  - notes: 4.12.1
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - photos: 4.0.0-dev.1
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - related_resources: 2.0.0
  - richdocuments: 8.7.1
  - richdocumentscode_arm64: 25.4.202
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - spreed: 21.1.0
  - support: 3.0.0
  - survey_client: 3.0.0
  - suspicious_login: 9.0.1
  - systemtags: 1.21.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0
  - updatenotification: 1.21.0
  - user_ldap: 1.22.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - contactsinteraction: 1.12.0 (installed 1.12.0)
  - encryption: 2.19.0 (installed 2.19.0)
  - recommendations: 4.0.0 (installed 4.0.0)

jtr · June 28, 2025, 2:15pm

The permissions changing again shortly after you change them make sense with the way proxy.php works (see here), but I have no idea why PHP’s is_executable() is failing for you (nor why your workaround temporarily works).

What Docker version?
What’s the underlying filesystem?
Maybe AppArmor (or SELinux)?

For completeness post your Docker Compose file too maybe.

TheRoarkster · June 28, 2025, 7:01pm

Thanks for the response. Here are the data points you suggested:

DOCKER VERSION

Docker version 28.2.2, build e6534b4

Underlying filesystem (I think this is what you mean, but not sure)

$docker inspect --format='{{.GraphDriver.Name}}' nextcloud-app}'
overlay2

But if you mean the nextcloud-app operating system, it’s:

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm

APPARMOR OR SELINUX

Results for AppArmor on the host Rpi4

apparmor module is loaded.
194 profiles are loaded.
98 profiles are in enforce mode.
   /snap/snapd/23772/usr/lib/snapd/snap-confine
   /snap/snapd/23772/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/24509/usr/lib/snapd/snap-confine
   /snap/snapd/24509/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/24724/usr/lib/snapd/snap-confine
   /snap/snapd/24724/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/evince//snap_browsers
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /{,usr/}sbin/dhclient
   docker-default
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   plasmashell
   plasmashell//QtWebEngineProcess
   rsyslogd
   snap-update-ns.chromium
   snap-update-ns.cups
   snap-update-ns.firefox
   snap-update-ns.mesa-2404
   snap-update-ns.snap-store
   snap-update-ns.snapd-desktop-integration
   snap.chromium.chromedriver
   snap.chromium.chromium
   snap.chromium.daemon
   snap.chromium.hook.configure
   snap.cups.accept
   snap.cups.cancel
   snap.cups.cups-browsed
   snap.cups.cupsaccept
   snap.cups.cupsctl
   snap.cups.cupsd
   snap.cups.cupsdisable
   snap.cups.cupsenable
   snap.cups.cupsfilter
   snap.cups.cupsreject
   snap.cups.cupstestppd
   snap.cups.driverless
   snap.cups.gs
   snap.cups.ippeveprinter
   snap.cups.ippfind
   snap.cups.ipptool
   snap.cups.lp
   snap.cups.lpadmin
   snap.cups.lpc
   snap.cups.lpinfo
   snap.cups.lpoptions
   snap.cups.lpq
   snap.cups.lpr
   snap.cups.lprm
   snap.cups.lpstat
   snap.cups.reject
   snap.firefox.firefox
   snap.firefox.geckodriver
   snap.firefox.hook.configure
   snap.firefox.hook.disconnect-plug-host-hunspell
   snap.firefox.hook.install
   snap.firefox.hook.post-refresh
   snap.mesa-2404.component-monitor
   snap.mesa-2404.hook.connect-plug-kernel-gpu-2404
   snap.mesa-2404.hook.disconnect-plug-kernel-gpu-2404
   snap.mesa-2404.hook.install
   snap.mesa-2404.hook.post-refresh
   snap.snap-store.hook.configure
   snap.snap-store.snap-store
   snap.snap-store.ubuntu-software
   snap.snap-store.ubuntu-software-local-file
   snap.snapd-desktop-integration.hook.configure
   snap.snapd-desktop-integration.snapd-desktop-integration
   tcpdump
   ubuntu_pro_apt_news
   ubuntu_pro_esm_cache
   ubuntu_pro_esm_cache//apt_methods
   ubuntu_pro_esm_cache//apt_methods_gpgv
   ubuntu_pro_esm_cache//cloud_id
   ubuntu_pro_esm_cache//dpkg
   ubuntu_pro_esm_cache//ps
   ubuntu_pro_esm_cache//ubuntu_distro_info
   ubuntu_pro_esm_cache_systemctl
   ubuntu_pro_esm_cache_systemd_detect_virt
   unix-chkpwd
   unprivileged_userns
5 profiles are in complain mode.
   /usr/sbin/sssd
   transmission-cli
   transmission-daemon
   transmission-gtk
   transmission-qt
0 profiles are in prompt mode.
0 profiles are in kill mode.
91 profiles are in unconfined mode.
   1password
   Discord
   MongoDB Compass
   QtWebEngineProcess
   balena-etcher
   brave
   buildah
   busybox
   cam
   ch-checkns
   ch-run
   chrome
   crun
   devhelp
   element-desktop
   epiphany
   evolution
   firefox
   flatpak
   foliate
   geary
   github-desktop
   goldendict
   ipa_verify
   kchmviewer
   keybase
   lc-compliance
   libcamerify
   linux-sandbox
   loupe
   lxc-attach
   lxc-create
   lxc-destroy
   lxc-execute
   lxc-stop
   lxc-unshare
   lxc-usernsexec
   mmdebstrap
   msedge
   nautilus
   notepadqq
   obsidian
   opam
   opera
   pageedit
   podman
   polypane
   privacybrowser
   qcam
   qmapshack
   qutebrowser
   rootlesskit
   rpm
   rssguard
   runc
   sbuild
   sbuild-abort
   sbuild-adduser
   sbuild-apt
   sbuild-checkpackages
   sbuild-clean
   sbuild-createchroot
   sbuild-destroychroot
   sbuild-distupgrade
   sbuild-hold
   sbuild-shell
   sbuild-unhold
   sbuild-update
   sbuild-upgrade
   scide
   signal-desktop
   slack
   slirp4netns
   steam
   stress-ng
   surfshark
   systemd-coredump
   thunderbird
   toybox
   trinity
   tup
   tuxedo-control-center
   userbindmount
   uwsgi-core
   vdens
   virtiofsd
   vivaldi-bin
   vpnns
   vscode
   wike
   wpcom
40 processes have profiles defined.
40 processes are in enforce mode.
   /usr/sbin/cups-browsed (3884260) 
   /usr/sbin/cupsd (3884258) 
   /usr/lib/cups/notifier/dbus (3884259) /usr/sbin/cupsd
   /usr/bin/bash (3102) docker-default
   /usr/bin/socat1 (3416) docker-default
   /usr/bin/socat1 (3418) docker-default
   /usr/bin/cat (3436) docker-default
   /protonmail/proton-bridge (3437) docker-default
   /protonmail/bridge (3484) docker-default
   /usr/bin/gpg-agent (3862) docker-default
   /usr/bin/python3.12 (3488195) docker-default
   /usr/sbin/mariadbd (3488205) docker-default
   /usr/sbin/apache2 (3488396) docker-default
   /usr/sbin/nginx (3488538) docker-default
   /usr/sbin/apache2 (3488551) docker-default
   /usr/sbin/apache2 (3488552) docker-default
   /usr/sbin/apache2 (3488553) docker-default
   /usr/sbin/apache2 (3488554) docker-default
   /usr/sbin/apache2 (3488555) docker-default
   /usr/sbin/nginx (3488643) docker-default
   /opt/eturnal/erts-15.1.2/bin/beam.smp (3488652) docker-default
   /usr/local/bin/janus (3488653) docker-default
   /usr/local/bin/nats-server (3488654) docker-default
   /usr/local/bin/nextcloud-spreed-signaling (3488657) docker-default
   /opt/eturnal/erts-15.1.2/bin/erl_child_setup (3488752) docker-default
   /opt/eturnal/erts-15.1.2/bin/inet_gethost (3488776) docker-default
   /opt/eturnal/erts-15.1.2/bin/inet_gethost (3488777) docker-default
   /usr/sbin/apache2 (3489468) docker-default
   /usr/sbin/apache2 (3489570) docker-default
   /usr/bin/bash (3494274) docker-default
   /usr/sbin/apache2 (3504459) docker-default
   /usr/sbin/apache2 (3783104) docker-default
   /usr/sbin/apache2 (3807836) docker-default
   /usr/sbin/rsyslogd (1845) rsyslogd
   /usr/bin/dash (2130) snap.cups.cups-browsed
   /usr/bin/dash (2386) snap.cups.cups-browsed
   /usr/bin/sleep (4026169) snap.cups.cups-browsed
   /usr/bin/dash (2131) snap.cups.cupsd
   /snap/cups/1102/sbin/cupsd (2373) snap.cups.cupsd
   /snap/cups/1102/sbin/cups-proxyd (2374) snap.cups.cupsd
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.

$ docker inspect --format='{{.AppArmorProfile}}' nextcloud-app
docker-default

$docker inspect --format='{{json .HostConfig.SecurityOpt}}' nextcloud-app
null

$ sestatus
Command 'sestatus' not found, but can be installed with: sudo apt install policycoreutils

DOCKER COMPOSE YML

services:
  nextcloud-db:
    image: mariadb:10.11
    container_name: nextcloud-db
    restart: unless-stopped
    volumes:
      - ./database:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=secure_root_password
      - MYSQL_PASSWORD=nextcloud_password
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
    networks:
      - nextcloud-network

  nextcloud-app:
#    image: nextcloud:latest
    build:
      context: .
      dockerfile: Dockerfile
    container_name: nextcloud-app
    restart: unless-stopped
    depends_on:
      - nextcloud-db
    volumes:
      - ./data:/var/www/html
      - ./config:/var/www/html/config
    environment:
      - MYSQL_HOST=nextcloud-db
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=nextcloud_password
      - NEXTCLOUD_ADMIN_USER=admin
      - NEXTCLOUD_ADMIN_PASSWORD=admin_password
      - NEXTCLOUD_TRUSTED_DOMAINS=192.168.0.155
      - OVERWRITEPROTOCOL=https
      - OVERWRITEHOST=#REDACTED#
      - PHP_MEMORY_LIMIT=512M
      - PHP_UPLOAD_LIMIT=2G
      - PHP_POST_MAX_SIZE=2G
    networks:
      - nextcloud-network

  nginx-proxy:
    image: nginx:alpine
    container_name: nginx-proxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./ssl:/etc/nginx/ssl
    depends_on:
      - nextcloud-app
    networks:
      - nextcloud-network

## NEW FOR HPB
  nextcloud-talk-hpb:
    image: ghcr.io/nextcloud-releases/aio-talk:latest
    container_name: nextcloud-talk-hpb
    restart: always
    ports:
      - "8081:8081"  # HPB port
      - "3478:3478/udp"  # STUN/TURN UDP
      - "3478:3478/tcp"  # STUN/TURN TCP
    environment:
      - NC_DOMAIN=#REDACTED#
      - TALK_HOST=#REDACTED#
      - TALK_PORT=3478
      - TURN_EXTERNAL_IP=#REDACTED#
      - INTERNAL_SECRET=#REDACTED#
      - TURN_SECRET=#REDACTED#
      - SIGNALING_SECRET=#REDACTED#
    networks:
      - nextcloud-network

networks:
  nextcloud-network:
    external: true