Is Collabora Docker image broken?

kevdog · December 3, 2020, 1:37pm

Hi - I’m using NC 20.02 with collabora dockerhub image collabora/code:latest

I can no longer start the running container successfully with the log files by spammed by following:

p: cannot create regular file '/opt/lool/systemplate/etc/resolv.conf': Permission denied
cp: cannot create regular file '/opt/lool/systemplate/etc/hosts': Permission denied
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Run the script as root.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Setting up watches.
Couldn't watch /etc/loolwsd/loolwsd.xml: Permission denied
-rw-r----- 1 lool lool 18170 Nov 30 14:51 /etc/loolwsd/loolwsd.xml modified --> restarting
Hangup
cp: cannot create regular file '/opt/lool/systemplate/etc/resolv.conf': Permission denied
cp: cannot create regular file '/opt/lool/systemplate/etc/hosts': Permission denied
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Run the script as root.
Setting up watches.
Couldn't watch /etc/loolwsd/loolwsd.xml: Permission denied
-rw-r----- 1 lool lool 18170 Nov 30 14:51 /etc/loolwsd/loolwsd.xml modified --> restarting
Hangup
cp: cannot create regular file '/opt/lool/systemplate/etc/resolv.conf': Permission denied
cp: cannot create regular file '/opt/lool/systemplate/etc/hosts': Permission denied
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Setting up watches.
Couldn't watch /etc/loolwsd/loolwsd.xml: Permission denied
Run the script as root.
-rw-r----- 1 lool lool 18170 Nov 30 14:51 /etc/loolwsd/loolwsd.xml modified --> restarting
Hangup
cp: cannot create regular file '/opt/lool/systemplate/etc/resolv.conf': Permission denied
cp: cannot create regular file '/opt/lool/systemplate/etc/hosts': Permission denied
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Setting up watches.
Couldn't watch /etc/loolwsd/loolwsd.xml: Permission denied
Run the script as root.
-rw-r----- 1 lool lool 18170 Nov 30 14:51 /etc/loolwsd/loolwsd.xml modified --> restarting
Hangup
cp: cannot create regular file '/opt/lool/systemplate/etc/resolv.conf': Permission denied
cp: cannot create regular file '/opt/lool/systemplate/etc/hosts': Permission denied
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Run the script as root.
Setting up watches.
Couldn't watch /etc/loolwsd/loolwsd.xml: Permission denied
-rw-r----- 1 lool lool 18170 Nov 30 14:51 /etc/loolwsd/loolwsd.xml modified --> restarting
Hangup
cp: cannot create regular file '/opt/lool/systemplate/etc/resolv.conf': Permission denied
cp: cannot create regular file '/opt/lool/systemplate/etc/hosts': Permission denied
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Can't open /etc/loolwsd/loolwsd.xml: Permission denied.
Setting up watches.
Couldn't watch /etc/loolwsd/loolwsd.xml: Permission denied
Run the script as root.

My docker-compose.yml file is as follows

  collabora:
    restart: always
    image: collabora/code:latest
    container_name: collabora
    networks:
      - net
    ports:
      - 9980:9980
    cap_add:
      - MKNOD
    environment:
      - TZ=America/Chicago
      - username=admin
      - password=dockercol
      - domain=nextcloud\.domain\.com|test\.domain\.com\nc\.domain\.com
      - DONT_GEN_SSL_CERT=1
      - server_name=office.domain.com
      - extra_params=--o:ssl.enable=true
    volumes:
      - /etc/letsencrypt/office.domain.com/privkey.pem:/etc/loolwsd/key.pem:ro
      - /etc/letsencrypt/office.domain.com/cert.pem:/etc/loolwsd/cert.pem:ro
      - /etc/letsencrypt/office.domain.com/chain.pem:/etc/loolwsd/ca-chain.cert.pem:ro

Reiner_Nippes · December 3, 2020, 3:10pm

Is Collabora Docker image broken?

nope. i just run my playbook on a test server and Collabora 6.4.2 is just working fine.

"RepoDigests": 
"collabora/code@sha256:876382f772b6e073530f6ec541485bff742e6c08718dceab13a3db4d470b9b6e"

cp: cannot create regular file

something’s wrong with your file permissions. did you check them?

kevdog · December 3, 2020, 3:51pm

See below – Sorry about double post

kevdog · December 3, 2020, 3:54pm

There was a recent commit of the latest Docker image that changed the UID of the container https://github.com/CollaboraOnline/online/commit/418743df893c7ec9b36c3661ea689e33150eb03a

I agree with your assessment about a permissions issue however the files the entrypoint is trying to create or reference files located within the container itself – not the host. I don’t mount /etc/loolswd/loolwsd.xml. for example as any type of external volume. I don’t do anything inside the /opt/lool directory. I have no idea where that structure came from.

My best guess is the entrypoint is calling a script and the script is running as this new user with ID=104 (the old ID was 101) and there is conflict somewhere with the permissions in the container. I can’t start the container to log into it to see what the old container root user UID was.

Reiner_Nippes · December 3, 2020, 5:22pm

all files in the container are “normal files” on the host. normally in /var/lib/docker/overlay2/<container-id>/ a sudo find /var/lib/docker -name "*collaboraoffice6.4*" gave me a long list. on my host these files belong to syslog:messagebus. because syslog has uid 104. in the container it’s lool.

these files should have the same uid than the user in the container has. only uig:gid matters. the name is only for humans to make ls -l more readable. docker/linux doesn’t care.

0, root is always 0

kevdog · December 3, 2020, 8:06pm

My container isn’t starting so I don’t have a folder in that directory. The container will not start b/c of the permissions error.

enoch85 · December 3, 2020, 8:37pm

I can confirm this. Happened to one of my customers.

Reiner_Nippes · December 3, 2020, 10:08pm

@kevdog what is the output of

sudo find /var/lib/docker -name loolwsd.xml -exec ls -l {} \;

wwe · December 3, 2020, 10:43pm

I updated my collabora image a week ago to latest version and it works fine with NC 19.0.5.2. the only problem was to get rid of the silly ribbon style menu. but I don’t expose the container with HTTPS and public cert… it’s running behind traefik proxy.

kevdog · December 4, 2020, 12:02am

@Reiner_Nippes

Hey thanks a lot for troubleshooting this. I had to remove the image and reinstall the image for things to be linked properly. I’m betting the UID change didn’t change all the permissions but now things seem to be working.

Thanks for your help.

In summary - stop container and remove image and rebuild