HowTo: Install Collabora Online on Ubuntu 16.04. (without Docker!)

Im now using the Docker Image :slight_smile:

I just managed to install my Collabora Online, after about 9 months of suffering, the friendly user interface today finally opened uppon me and i was able to work in it, here’s what happened:

I had a seccomp error when starting loolwsd and tried everything i could find on the internet, the error would not go away, turns out i needed to install seccomp, a kernel module for linux, thus i tried that, wich was impossible since i had a VServer at Strato and they host their VServers with the software Virtuozzo to save some change on energy and save the environment, wich is a cause i support but wich bugged me a bit, the wise men and women at libre office land gave me the quest, i was forced to wander the lonely path of recompiling libre office online and loolwsd by myself stripping it of the seccomp support, i abstracted this old guide, adding a “–disable-seccomp” to the loolwsd configure and got stuck again with weird bugs while compiling libre office.

I then asked the humble codewarriors at the libre office irc and plead for help, they wouldn’t help me, but then one noticed my name, my father is a well known Figure in the land of LibreOffice and so they opened the gates and introduced me, questioned me, frawned at my request, but hinted me at a problem i never thought existed. The memory of my server was running low while creating LibreOffice, and i created the wrong github version as well, collabora-2-1 in the online repository and collabora/cp-5-3 in the core it shall be.

I then went forth to build the core again in a way that did not allow any test, as tests consumed the memory, this was frowned uppon by the wise men and women at libreoffice, but was seen as the only option as my server didn’t even allow me to enable swap files. Then i found out, that even this was not an option for my weak and cheap server, so i went forth as to compile it on a vserver, running into harddrive space issues because of my own fault but later building it to completion, i copied the compiled version, wich i failed to do right, as it stopped working on the server. But then i noticed something, the heavily modded minecraft server munched away allmost 2 gigabytes of my server’s 4 gigabyte of memory, so i stopped the minecraft server, and compiled libre office again with no tests, this time successfull. after compiling the local online github version i found more bugs, wich happened due to the github versions on the server not being 2-1 and 5-3, so i changed the branches to match the required. After this compiled, i went and tried again, and it failed, i noticed that one branch was not updated since long, so i git pulled and recompiled.

Heureka, it worked. loolwsd would start, and not crash again.

then i spent a day getting something to work ssl wise and later got something to run with a selfmade root ca and a self signed certificate and the Gates of Collabora Online opened up on me. Heureka.

I now need to share the root CA certificate with everyone who wants to use collabora in my cloud, but at last, it works.

I know that at some point, there might have been easier, or even faster ways to do this, but after 9 Months of compiling, recompiling asking, building, cloning and generating i just want to say to the people out there with the crappy vservers and the ton of building problems and problems like
"ERR Failed to install seccomp syscall filter| common/Seccomp.cpp:199":

There is Hope, there is a Way, and i hope you find a faster Path than the one i went.


for the certificate: have a look at loolwsd.xml - you can add your own certificate here.

i know, i did, but i have to add my own ca certificate there as well right?

Yes you have to write the path of your cert, chain and private key.

Look inside /etc/loolwsd/loolwsd.xml

Oh, that’s sad, because that’s what i did, and with a selfmade CA for a self signed Certificate i have to install the CA on every Client.

Why don’t you use Let’s Encrypt for having a Good Cert, okay it’s for 90 Days only, but you can make a cron with a script for renewing automaticaly the cert.

For having/renewing automaticaly a cert, you have to use Apache2 or Ngnix on your collabora server and have the port
443 opened and working from the outside.

and the user manual :

actually i’m allready using certbot for my site, but i read some rumors about safety being an issue with collabora, and since i allready had to compile it without a certain security kernel module, i want to keep the lool user’s reading rights at a minimum, i’m not sure if one could read out the privkey with collabora then and do awfull stuff with it :confused: i haven’t completely modeled my attacker jet or tried it myself, but a private key sounds like something i wouldn’t wanna rist getting readable from the outside, also i would have to even the path into the other privkeys because i can’t just rip the privkey out as it’s a link to a file that changes every 90 days, i would have to manually go in every 90 days to coppy out the privkey or endanger the other privkeys

The private key for your collabora host won’t be the same as your nextcloud instance.
But using a selfsign cert on the collabora host will give you problems for using it

i agree, i edited my answer later, sorry, but how do i get the keys for a certain certbot page to be generated somewhere else, the link get’s updated every 90 days and it doesn’t work with a symbolic link to the symbolic link to the file even though i have read rights to all of them from collabora and to the folder of the first symbolic link, but i would have to change readrights to folders in the certbot area, and that sounds nasty :confused:

For me my path isn’t changing every 90 days.
Example : My Collabora instance is on this FQDN :
My cert, chain and privatekey are in this path : /etc/letsencrypt/live/
And they won’t move from this path;
so in /etc/loolwsd/loolwsd.xml i wrote :
/etc/letsencrypt/live/ for my cert file for example.

When i made a certbot renew, the cert will be overwritten by the new one, but the path won’t change

ah ok, so your lool user or whichever user starts collabora has to have read rights to the folder /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ and all of the above right? can it read the other certificates and keys as well? :slight_smile: because in generall, when i open, i can use it directly to open and read files, and i’m not sure if it can open the files in /etc/letsencrypt as well now that the read rights are there, because it has to be able to open at minimum the cache folder of loolwsd, the database of nextcloud and the folder where loolwsd is installed in to open the example files

oh… i think i found the solution :slight_smile: that’s what the hostnames pattern thing in that xml file was about, seems like it’s not directly a hole in the security, maybe i’ll try it :slight_smile: thank you :slight_smile

Does anybody know, where to look for some logs, if loolwsd won’t work anymore? The logs are either located at an unusual place or missing altogether…

/tmp/loolwsd.log might be a place to look at

Unfortuanety, no… no log file there. And the one in /var/log/looswsd.log is empty and hasn’t been touched ever so it would seem.

same error “lool service” … I did not find the file var / log. Then the opt / online / loolwsd.xml was adjusted with correct pem files. the folders and pem file give the correct rights. chown -R Lool: lool …
unfortunately everything without success same mistake.

In file included from wsd/LOOLWSD.cpp:106:0:
./common/UnitHTTP.hpp:86:18: error: ‘virtual bool UnitHTTPServerRequest::expectContinue() const’ marked ‘override’, but does not override
virtual bool expectContinue() const override
CXX common/IoUtil.o
make[2]: *** [wsd/LOOLWSD.o] error 1

the path is set in the loolwsd.xml file under config->logging->file->path :slight_smile: if it doesn’t happen there you can allways troubleshoot by starting loolwsd manually and just reading the terminals output using the command defined in the loolwsd.service, remember to do that without root permissions though, there should be something like a lool user that owns all the loolwsd related stuff.

the service file is under /etc/systemd/system/loolwsd.service by the way :slight_smile:

Thanks - I will keep that in mind, if loolwsd gives me troubles again.

see here: . Quote:

Which version of Loolwsd is installed? I have changed officeonline-install.cfg
The rest is standard."

great thx… if i do it with set_online_regex … shell script work and service “loolwsd” run now after them. but i cant find any log from service. status from service are run. but the webbroser give it no answer. how can i find the log file?
service loolwsd status say run … and if i make first request over web. the service say failed status 70.
i have read about it. but i cant find any problem.