Issue installing Collabora following official guide

Iā€™m following the guide at https://nextcloud.com/collaboraonline/ and I have a fresh NextCloud installation version 9.0.52 on Ubuntu 14.04. There are several problems:

  1. Special characters when running docker: the documentation mentions the need to escape periods. Are there other characters (e.g. hyphens) that should also be escaped?
  2. Apache Configuration ServerName: the guide mentions the servername including the colon and port but my understanding is that the server name should be without the port, isnā€™t it?
  3. Apache Configuration DocRoot: the virtual host declares some paths that will be handled by the proxy settings, but if you browser to the domain itself, Apache is serving that request without using any proxy and in the default configuration delivers the request as if it were going to the default docroot of that host. Shouldnā€™t there be a DocRoot declaration that captures everything not being handled by the proxies and respond with a 404?
  4. Install the ā€œCollabora Online appā€: The problem is that the app in my installation is named ā€œCollabora Online Connectorā€ and it is labeled as experimental. Is that correct? If not, why is my installation which is fresh (see above) not showing the correct one?
  5. When going to the admin area where I want to provide the URL for the Collabora instance, I can click on ā€œSaveā€ but it doesnā€™t do anything. Nothing found in the logs for this. Maybe this is because of the previous item and Iā€™m running the wrong app version? The version number given is 1.1.3

Any help is much appreciated and maybe we should eventually update the installation guide.

While I canā€™t say anything about 1. to 3. for my test setup, I ran into the same questions you describe in 4. and 5.

For me, the ā€œSaveā€ button didnā€™t work either when I tried with Safari ā€“ the field simply reset to the default entry (localhost) after exiting the settings. However, it did work when using Firefox on the same Mac.

I can now open Collabora from the Nextcloud dropdown menu and select one of my ODT files, afterwards it loads some kind of UI (with text formatting options), but loading the document fails with an ā€œunexpected connection errorā€.

I have the same ā€œunexpected connection errorā€ here.

It uses regex. So yes, might be required to also escape your hypens.

Shouldnā€™t make a big difference I think. But PR welcome to nextcloud.com/page-collaboraonline.php at master Ā· nextcloud/nextcloud.com Ā· GitHub :slight_smile:

Remarked it as approved.

Please check your browser console log. Also what browser do you use?

This rather indicates a configuration issue, please post detailled what you did as well as the log output of the docker container. (start it without -d so we can see what it fails at)

Thanks @LukasReschke Iā€™ll address 1-3 accordingly and I can already confirm that I now have an app ā€œOfficeā€ in the drop-down which I can open and that then gets me to https://cloud.my-domain.com/index.php/apps/richdocuments/index with 4 buttons to add three different document types or to upload one. So item 4 and 5 is now also resolved.

However, when I click on ā€œNew documentā€ I get a gray square and when I click on that I get a message ā€œFailed to open undefined, file not supported.ā€

The browser console shows an error ā€œContent Security Policy: frame-srcā€ and that instead child-src should be used.

And when I try to upload a document I get ā€œType Error: window.FileList.findFileEl is not a functionā€.

The log is full of entries like ā€œUndefined index: dir at /var/www/nextcloud/paragon/apps/richdocuments/controller/documentcontroller.php#289ā€

Browsers used: latest Chrome and latest Firefox on Ubuntu 16.04 LTS

What does your docker container say in the logs? I suppose the connection attempt is somehow failing :slight_smile:

I have the same problem as @jurgenhaas.

The logs get spammed with

office_1 | kit-00615-00 00:10:04.054159 [ loolkit ] Process started.
office_1 | kit-00615-00 00:10:04.054358 [ loolkit ] Jail path: /opt/lool/child-roots/615/
office_1 | kit-00615-00 00:10:04.054722 [ loolkit ] symlink(ā€œā€¦/loā€,ā€œ/opt/lool/child-roots/615/opt/collaboraoffice5.1ā€)
office_1 | kit-00615-00 00:10:04.181319 [ loolkit ] skip redundant paths share/config/wizard
office_1 | kit-00615-00 00:10:04.192258 [ loolkit ] skip redundant paths share/template
office_1 | kit-00615-00 00:10:04.192292 [ loolkit ] skip redundant paths share/Scripts
office_1 | kit-00615-00 00:10:04.198212 [ loolkit ] skip redundant paths share/gallery
office_1 | kit-00615-00 00:10:04.201204 [ loolkit ] skip redundant paths share/basic
office_1 | kit-00615-00 00:10:04.207073 [ loolkit ] skip redundant paths program/wizards
office_1 | kit-00615-00 00:10:04.365934 [ loolkit ] Initialized jail files.
office_1 | kit-00615-00 00:10:04.366124 [ loolkit ] mknod(/opt/lool/child-roots/615//dev/random) failed. (errno: Operation not permitted)
office_1 | kit-00615-00 00:10:04.366181 [ loolkit ] mknod(/opt/lool/child-roots/615//dev/urandom) failed. (errno: Operation not permitted)
office_1 | kit-00615-00 00:10:04.366197 [ loolkit ] chroot(ā€œ/opt/lool/child-roots/615/ā€)
office_1 | kit-00615-00 00:10:04.366217 [ loolkit ] chroot(ā€œ/opt/lool/child-roots/615/ā€) failed. (errno: Operation not permitted)
office_1 | frk-00030-00 00:10:05.054808 [ loolforkit ] Child 615 has exited, removing its jail ā€˜/opt/lool/child-roots/615ā€™
office_1 | wsd-00021-00 00:10:10.434189 [ loolwsd ] MasterToForKit: spawn 1
office_1 | wsd-00021-00 00:10:10.434237 [ loolwsd ] Writing to pipe. Data: [spawn 1].
office_1 | frk-00030-00 00:10:10.050371 [ loolforkit ] readFIFO for pipe: wsd_pipe_rd returned: 8
office_1 | frk-00030-00 00:10:10.050411 [ loolforkit ] Read line from pipe: wsd_pipe_rd, line: [spawn 1], data: .
office_1 | frk-00030-00 00:10:10.050424 [ loolforkit ] ForKit command: [spawn 1].
office_1 | frk-00030-00 00:10:10.050443 [ loolforkit ] Spawning 1 child per request.
office_1 | frk-00030-00 00:10:10.050455 [ loolforkit ] Creating 1 new child.
office_1 | frk-00030-00 00:10:10.050464 [ loolforkit ] Forking a loolkit process.
office_1 | frk-00030-00 00:10:10.053234 [ loolforkit ] Forked kit [620].
office_1 | kit-00620-00 00:10:10.053566 [ loolforkit ] Initializing kit
office_1 | kit-00620-00 00:10:10.053626 [ loolforkit ] Log level is [8].
office_1 | kit-00620-00 00:10:10.053686 [ loolkit ] Process started.
office_1 | kit-00620-00 00:10:10.053806 [ loolkit ] Jail path: /opt/lool/child-roots/620/
office_1 | kit-00620-00 00:10:10.054110 [ loolkit ] symlink(ā€œā€¦/loā€,ā€œ/opt/lool/child-roots/620/opt/collaboraoffice5.1ā€)
office_1 | kit-00620-00 00:10:10.181806 [ loolkit ] skip redundant paths share/config/wizard
office_1 | kit-00620-00 00:10:10.192326 [ loolkit ] skip redundant paths share/template
office_1 | kit-00620-00 00:10:10.192370 [ loolkit ] skip redundant paths share/Scripts
office_1 | kit-00620-00 00:10:10.198030 [ loolkit ] skip redundant paths share/gallery
office_1 | kit-00620-00 00:10:10.200936 [ loolkit ] skip redundant paths share/basic
office_1 | kit-00620-00 00:10:10.206367 [ loolkit ] skip redundant paths program/wizards
office_1 | kit-00620-00 00:10:10.342580 [ loolkit ] Initialized jail files.
office_1 | kit-00620-00 00:10:10.342755 [ loolkit ] mknod(/opt/lool/child-roots/620//dev/random) failed. (errno: Operation not permitted)
office_1 | kit-00620-00 00:10:10.342795 [ loolkit ] mknod(/opt/lool/child-roots/620//dev/urandom) failed. (errno: Operation not permitted)
office_1 | kit-00620-00 00:10:10.342805 [ loolkit ] chroot(ā€œ/opt/lool/child-roots/620/ā€)
office_1 | kit-00620-00 00:10:10.342829 [ loolkit ] chroot(ā€œ/opt/lool/child-roots/620/ā€) failed. (errno: Operation not permitted)
office_1 | frk-00030-00 00:10:11.054421 [ loolforkit ] Child 620 has exited, removing its jail ā€˜/opt/lool/child-roots/620ā€™

There is nothing in the docker logs regarding opening a file/creating a file

Small Edit:

I use docker-compose and this is my docker-compose.yml:

cloud:
image: wonderfall/nextcloud
restart: always
links:
- cloudDB:cloudDB
environment:
- UID=109
- GID=119
- VIRTUAL_HOST=cloud.example.com
- LETSENCRYPT_HOST=cloud.example.com
- LETSENCRYPT_EMAIL=certs@example.com
volumes:
- /home/cloud/data:/data
- /home/cloud/config:/config
- /home/cloud/apps:/apps2

cloudDB:
image: mariadb:10
restart: always
volumes:
- /home/cloud/db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=someThing
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_PASSWORD=someThing

office:
image: collabora/code
restart: always
ports:
- ā€œ127.0.0.1:9980:9980ā€
environment:
- VIRTUAL_HOST=office.example.com
- LETSENCRYPT_HOST=office.example.com
- LETSENCRYPT_EMAIL=certs@example.com
- domain=cloud.example.com
cap_add:
- MKNOD

I become the the error ā€¦

and here is my log:

Generating RSA private key, 2048 bit long modulus
ā€¦+++
ā€¦+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
ā€¦+++
ā€¦+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
wsd-00022-00 00:00:00.000712 [ loolwsd ] Initializing wsd
wsd-00022-00 00:00:00.000858 [ loolwsd ] Log level is [8].
wsd-00022-00 00:00:00.002511 [ loolwsd ] Open Documents Limit: 10
wsd-00022-00 00:00:00.002616 [ loolwsd ] Client Connections Limit: 20
wsd-00022-00 00:00:00.002774 [ loolwsd ] Adding trusted WOPI host: [nextcloud.adm.dcsix].
wsd-00022-00 00:00:00.002867 [ loolwsd ] Adding trusted WOPI host: [10.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}].
wsd-00022-00 00:00:00.002943 [ loolwsd ] Adding trusted WOPI host: [172.1[6789].[0-9]{1,3}.[0-9]{1,3}].
wsd-00022-00 00:00:00.003034 [ loolwsd ] Adding trusted WOPI host: [172.2[0-9].[0-9]{1,3}.[0-9]{1,3}].
wsd-00022-00 00:00:00.003103 [ loolwsd ] Adding trusted WOPI host: [172.3[01].[0-9]{1,3}.[0-9]{1,3}].
wsd-00022-00 00:00:00.003183 [ loolwsd ] Adding trusted WOPI host: [192.168.[0-9]{1,3}.[0-9]{1,3}].
wsd-00022-00 00:00:00.003256 [ loolwsd ] Adding blocked WOPI host: [192.168.1.1].
loolwsd 1.7.2 - 1.7.2
wsd-00022-00 00:00:00.003511 [ loolwsd ] SSL Cert file: /etc/loolwsd/cert.pem
wsd-00022-00 00:00:00.003589 [ loolwsd ] SSL Key file: /etc/loolwsd/key.pem
wsd-00022-00 00:00:00.003668 [ loolwsd ] SSL CA file: /etc/loolwsd/ca-chain.cert.pem
wsd-00022-00 00:00:00.012456 [ loolwsd ] FileServerRoot: /usr/share/loolwsd
wsd-00022-00 00:00:00.012779 [ loolwsd ] mkfifo(/opt/lool/child-roots/pipe/loolwsdfifo)
wsd-00022-00 00:00:00.012853 [ loolwsd ] File server ctor.
wsd-00022-00 00:00:00.013433 [ loolwsd ] Starting master server listening on 9980
wsd-00022-00 00:00:00.013570 [ loolwsd ] Starting prisoner server listening on 9981
wsd-00022-00 00:00:00.013668 [ loolwsd ] Launching forkit process: /usr/bin/loolforkit --losubpath=lo --systemplate=/opt/lool/systemplate --lotemplate=/opt/collaboraoffice5.1 --childroot=/opt/lool/child-roots/ --clientport=9980 --version
frk-00031-00 00:00:00.000759 [ loolforkit ] Initializing frk
frk-00031-00 00:00:00.000866 [ loolforkit ] Log level is [8].
loolforkit 1.7.2 - 1.7.2
frk-00031-00 00:00:00.000981 [ loolforkit ] Note: LD_BIND_NOW is not set.
frk-00031-00 00:00:00.001012 [ loolforkit ] Note: LOK_VIEW_CALLBACK is not set.
frk-00031-00 00:00:00.001112 [ loolforkit ] open(/opt/lool/child-roots/pipe/loolwsdfifo, RDONLY) = 4
wsd-00022-00 00:00:00.335334 [ loolwsd ] open(/opt/lool/child-roots/pipe/loolwsdfifo, WRONLY) = 8
wsd-00022-00 00:00:00.335677 [ loolwsd ] AdminModel ctor.
wsd-00022-00 00:00:00.336042 [ loolwsd ] Admin ctor.
wsd-00022-00 00:00:00.336189 [ loolwsd ] Memory stat ctor
wsd-00022-00 00:00:00.336455 [ loolwsd ] Cpu stat ctor
frk-00031-00 00:00:02.424755 [ loolforkit ] Preinit stage OK.
frk-00031-00 00:00:02.424843 [ loolforkit ] Forking a loolkit process.
frk-00031-00 00:00:02.429436 [ loolforkit ] Forked kit [35].
frk-00031-00 00:00:02.429627 [ loolforkit ] ForKit process is ready.
kit-00035-00 00:00:02.430099 [ loolforkit ] Initializing kit
kit-00035-00 00:00:02.430327 [ loolforkit ] Log level is [8].
kit-00035-00 00:00:02.430506 [ loolkit ] Process started.
kit-00035-00 00:00:02.430786 [ loolkit ] Jail path: /opt/lool/child-roots/35/
kit-00035-00 00:00:02.431411 [ loolkit ] symlink("ā€¦/lo","/opt/lool/child-roots/35/opt/collaboraoffice5.1")
kit-00035-00 00:00:02.654860 [ loolkit ] link("/opt/collaboraoffice5.1/LICENSE","/opt/lool/child-roots/35/lo/LICENSE") failed. Exiting. (errno: Operation not permitted)
frk-00031-00 00:00:03.430815 [ loolforkit ] Child 35 has exited, removing its jail '/opt/lool/child-roots/35ā€™
wsd-00022-00 00:00:04.336766 [ loolwsd ] MasterToForKit: spawn 1
wsd-00022-00 00:00:04.336856 [ loolwsd ] Writing to pipe. Data: [spawn 1].
frk-00031-00 00:00:04.002861 [ loolforkit ] readFIFO for pipe: wsd_pipe_rd returned: 8
frk-00031-00 00:00:04.003018 [ loolforkit ] Read line from pipe: wsd_pipe_rd, line: [spawn 1], data: [].
frk-00031-00 00:00:04.003105 [ loolforkit ] ForKit command: [spawn 1].
frk-00031-00 00:00:04.003382 [ loolforkit ] Spawning 1 child per request.
frk-00031-00 00:00:04.003496 [ loolforkit ] Creating 1 new child.
frk-00031-00 00:00:04.003607 [ loolforkit ] Forking a loolkit process.
frk-00031-00 00:00:04.010471 [ loolforkit ] Forked kit [36].
kit-00036-00 00:00:04.011065 [ loolforkit ] Initializing kit
kit-00036-00 00:00:04.011207 [ loolforkit ] Log level is [8].
kit-00036-00 00:00:04.011333 [ loolkit ] Process started.
kit-00036-00 00:00:04.011580 [ loolkit ] Jail path: /opt/lool/child-roots/36/
kit-00036-00 00:00:04.012164 [ loolkit ] symlink("ā€¦/lo","/opt/lool/child-roots/36/opt/collaboraoffice5.1")
kit-00036-00 00:00:04.082538 [ loolkit ] link("/opt/collaboraoffice5.1/LICENSE","/opt/lool/child-roots/36/lo/LICENSE") failed. Exiting. (errno: Operation not permitted)
frk-00031-00 00:00:05.011726 [ loolforkit ] Child 36 has exited, removing its jail '/opt/lool/child-roots/36ā€™
wsd-00022-10 00:00:05.348457 [ loolwsd ] Total memory used: 207864

Under /opt/lool/child-roots no dirs created and doesnā€™t exists ā€¦

This is a permission problem on your environment. Please make sure you donā€™t have anything in place that restricts the permission of the container. One example is AppArmor, it may be sensible to disable AppArmor for the docker container.

ā€¦ if somebody has some decent knowledge about AppArmor then feedback on proper rules for Ubuntu are welcome :slight_smile:

Aso make sure your Docker version supports already dropping the capabilities, alternatively starting with --privileged may help as well. On my Ubuntu Xenial docker host it was however sufficient to disable AppArmor.

I use Debian Jessie has Docker Host. My Docker Version is:

Docker version 1.11.2, build b9f10c9

I donā€™t think a docker container should rely on a disabled apparmor environment. Docker already provides a default policy.
If this is not sufficent you can provide your own policy. Disabling apparmor entirely might make an server more vulnerable.

If this is still an issue this weekend, i will setup a VM and test it with AppArmor disabled :slight_smile:

Got it working when disabling the firewall. Looks like my firewall settings are preventing communication with the docker network.

Tried using firefox for entering the domain of the Collabora VirtualHost right after reading your note - but to no avail. :pensive:

The browser console doesnā€™t say a thing for me - except for several errors about certificate issues. But hitting the SAVE button doesnā€™t do anything at all, so I wonder if Iā€™m using it correctly (Iā€™m unfamiliar with it, Iā€™m not a developer) - I just opened it and then hit the button again.

Getting similar output as Adnae from docker, with something like this repeating over and over again:

frk-00031-00 00:00:04.179890 [ loolforkit ] Forking a loolkit process.
kit-00035-00 00:00:04.186325 [ loolkit ] Jail path: /opt/lool/child-roots/35/
kit-00035-00 00:00:04.193690 [ loolkit ] symlink("../lo","/opt/lool/child-roots/35/opt/collaboraoffice5.1")
frk-00031-00 00:00:04.222657 [ loolforkit ] Forked kit [36].
kit-00036-00 00:00:04.233226 [ loolforkit ] Initializing kit
kit-00036-00 00:00:04.236718 [ loolforkit ] Log level is [8].
kit-00036-00 00:00:04.239553 [ loolkit ] Process started.
kit-00036-00 00:00:04.241127 [ loolkit ] Jail path: /opt/lool/child-roots/36/
kit-00036-00 00:00:04.251402 [ loolkit ] symlink("../lo","/opt/lool/child-roots/36/opt/collaboraoffice5.1")
kit-00035-00 00:00:04.821600 [ loolkit ] link("/opt/collaboraoffice5.1/readmes/README_en-US","/opt/lool/child-roots/35/lo/readmes/README_en-US") failed. Exiting. (errno: Operation not permitted)
kit-00036-00 00:00:04.825847 [ loolkit ] link("/opt/collaboraoffice5.1/readmes/README_en-US","/opt/lool/child-roots/36/lo/readmes/README_en-US") failed. Exiting. (errno: Operation not permitted)
wsd-00022-10 00:00:05.214971 [ loolwsd ] Total memory used: 113408
frk-00031-00 00:00:05.232064 [ loolforkit ] Child 35 has exited, removing its jail '/opt/lool/child-roots/35'
frk-00031-00 00:00:05.302966 [ loolforkit ] Child 36 has exited, removing its jail '/opt/lool/child-roots/36'

The last two kit-ā€¦ lines (about linkā€¦failed) are bold red
This keeps on happening, even when I donā€™t have ā€œOfficeā€ open.

The browser debug console shows error: Service is unavailable. Please try again later and report to your administrator if the issue persists. from the websocket connection:

For anyone having issues where the save button is not working - I got it to work just by waiting a couple of seconds; looks like itā€™s really slow. Also thereā€™s no confirmation of it having saved the new URL.

Also I received a cURL error saying that the root certificate had not been installed - I concatenated my self signed CA cert onto ca-bundle.crt and thatā€™s fixed it. I use self signed certificates and have CloudFlare on top in order to present a trusted cert. The ca-bundle.crt is going to get overwritten with every update, is there a better way of doing this? I donā€™t really understand either because my CA is trusted on my server and I can use cURL via the shell against it.

One last thing - is the docker container self updating?

I was able to set the URL using the following against my database:

insert into oc_appconfig(appid, configkey, configvalue) values ('richdocuments','wopi_url','https://[your url here]');

Now I can open the page that shows the document list. When I open a document, Iā€™m now also getting the We are sorry, this is an unexpected connection error. message.

Iā€™ve disabled apparmor and running in --privileged mode.

Hereā€™s what I see (repeated ad nauseum):

frk-00031-00 00:00:01.392604 [ loolforkit ] Preinit stage OK.
frk-00031-00 00:00:01.392685 [ loolforkit ] Forking a loolkit process.
frk-00031-00 00:00:01.396012 [ loolforkit ] Forked kit [35].
frk-00031-00 00:00:01.396135 [ loolforkit ] ForKit process is ready.
kit-00035-00 00:00:01.396303 [ loolforkit ] Initializing kit
kit-00035-00 00:00:01.396393 [ loolforkit ] Log level is [8].
kit-00035-00 00:00:01.396457 [ loolkit ] Process started.
kit-00035-00 00:00:01.396579 [ loolkit ] Jail path: /opt/lool/child-roots/35/
kit-00035-00 00:00:01.396950 [ loolkit ] symlink("../lo","/opt/lool/child-roots/35/opt/collaboraoffice5.1")
kit-00035-00 00:00:01.592696 [ loolkit ] link("/opt/collaboraoffice5.1/readmes/README_en-US","/opt/lool/child-roots/35/lo/readmes/README_en-US") failed. Exiting. (errno: Operation not permitted)

Are you all on Ubuntu 14.04? My best guess is https://github.com/docker/docker/issues/20658 then: Probably the kernel isnā€™t compiled with CONFIG_AUFS_XATTR. Has anybody the chance here to test that quickly? :slight_smile:

I have quickly tested to run docker with the --security-opt=seccomp:unconfined option and it looks as if it is working much better now. Still having to sort out my firewall issue but when I turn that off, it looks as if it is working OK.

I am running Debian 8 (Jessie) so not sure if still relevant.