Issue installing Collabora following official guide

@jurgenhaas Thanks. I made the changes and ran the following:

docker run  --security-opt=seccomp:unconfined --privileged -t -p 127.0.0.1:9980:9980 -e "domain=cloud\.[foo]\.com" --cap-add MKNOD  collabora/code

And still get this output (Ubuntu 14.04, 3.13.0-92-generic #139-Ubuntu SMP, Docker version 1.11.2, build b9f10c9):

frk-00031-00 00:00:02.916321 [ loolforkit ] Child 35 has exited, removing its jail '/opt/lool/child-roots/35'
wsd-00022-00 00:00:04.118696 [ loolwsd ] MasterToForKit: spawn 1
wsd-00022-00 00:00:04.118839 [ loolwsd ] Writing to pipe. Data: [spawn 1].
frk-00031-00 00:00:04.002663 [ loolforkit ] readFIFO for pipe: wsd_pipe_rd returned: 8
frk-00031-00 00:00:04.002795 [ loolforkit ] Read line from pipe: wsd_pipe_rd, line: [spawn 1], data: [].
frk-00031-00 00:00:04.002835 [ loolforkit ] ForKit command: [spawn 1].
frk-00031-00 00:00:04.002922 [ loolforkit ] Spawning 1 child per request.
frk-00031-00 00:00:04.002960 [ loolforkit ] Creating 1 new child.
frk-00031-00 00:00:04.002986 [ loolforkit ] Forking a loolkit process.
frk-00031-00 00:00:04.009967 [ loolforkit ] Forked kit [36].
kit-00036-00 00:00:04.010329 [ loolforkit ] Initializing kit
kit-00036-00 00:00:04.010420 [ loolforkit ] Log level is [8].
kit-00036-00 00:00:04.010487 [ loolkit ] Process started.
kit-00036-00 00:00:04.010639 [ loolkit ] Jail path: /opt/lool/child-roots/36/
kit-00036-00 00:00:04.011012 [ loolkit ] symlink("../lo","/opt/lool/child-roots/36/opt/collaboraoffice5.1")
kit-00036-00 00:00:04.045270 [ loolkit ] link("/opt/collaboraoffice5.1/readmes/README_en-US","/opt/lool/child-roots/36/lo/readmes/README_en-US") failed. Exiting. (errno: Operation not permitted)

Just wondering, are you starting docker with sudo?

@jurgenhaas Nope. Just starting docker as a normal user. Should I be running it as root?

@jurgenhaas I did everything as root user but still same issue.

I had also the connection error. Now its solved.
I have tried to made it with a new sub.domain with its own certificate from letsencrypt. No luck with this.
I found an red error in the log about my normal domain although lool was configured to other sub domain.
So I tried to change the settings to my normal sub domain (DynDNS).
Now I combined the Apache settings in the default-ssl.conf with all the other settings for my dyndns domain like nextcloud and others.
And … tata … it works.

Daniel from Thüringen

I have solved one error in the docker as could be seen in /var/log/syslog:

docker[22800]: time="2016-07-22T17:15:20+01:00" level=error msg="containerd: notify OOM events" error="open memory.oom_control: no such file or directory"

By adding the following to /etc/default/grub:
GRUB_CMDLINE_LINUX="cgroup_enable=memory"

But when starting the docker I still get the following errors from the docker output itself:

kit-00039-00 00:00:11.270019 [ loolkit ] link("/opt/collaboraoffice5.1/CREDITS.fodt","/opt/lool/child-roots/39/lo/CREDITS.fodt") failed. Exiting. (errno: Operation not permitted)                                                                                                                        
kit-00038-00 00:00:11.313616 [ loolkit ] link("/opt/collaboraoffice5.1/CREDITS.fodt","/opt/lool/child-roots/38/lo/CREDITS.fodt") failed. Exiting. (errno: Operation not permitted)                                                                                                                        
kit-00037-00 00:00:11.332961 [ loolkit ] link("/opt/collaboraoffice5.1/CREDITS.fodt","/opt/lool/child-roots/37/lo/CREDITS.fodt") failed. Exiting. (errno: Operation not permitted)                                                                                                                        
frk-00029-00 00:00:12.325073 [ loolforkit ] Child 37 has exited, removing its jail '/opt/lool/child-roots/37'                                        
frk-00029-00 00:00:12.542260 [ loolforkit ] Child 38 has exited, removing its jail '/opt/lool/child-roots/38'                                        
frk-00029-00 00:00:12.686059 [ loolforkit ] Child 39 has exited, removing its jail '/opt/lool/child-roots/39'

This error keeps popping up including the exit. When trying to open a document I get:

wsd-00020-03 00:00:51.998613 [ client_req_hdl ] Request from 192.168.7.241:52277: GET /lool/ws/https://cloud.<domain>/apps/richdocuments/wopi/fil
es/539952?access_token=Zbjpd9YbMVKTt7XNUOguQBzaoIcxUfvu HTTP/1.1 / Host: office.<domain> / Pragma: no-cache / Cache-Control: no-cache / Origin: h
ttps://office.<domain> / Sec-WebSocket-Version: 13 / DNT: 1 / User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Ge
cko) Chrome/51.0.2704.103 Safari/537.36 / Accept-Encoding: gzip, deflate, sdch, br / Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,nl;q=0.4 / Sec-WebSo
cket-Key: T2FU+ljR4J8BT7T8ZqRuFA== / Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits / X-Forwarded-For: 192.168.7.1 / X-Forwarde
d-Host: office.wijman.me.uk / X-Forwarded-Server: office.<domain> / Upgrade: WebSocket / Connection: Upgrade                                     
wsd-00020-03 00:00:52.012305 [ client_ws_0001 ] Thread started.                                                                                      
wsd-00020-03 00:00:52.017999 [ client_ws_0001 ] Starting GET request handler for session [0001].                                                     
wsd-00020-03 00:00:52.021916 [ client_ws_0001 ] Sending to Client [statusindicator: find].                                                           
wsd-00020-03 00:00:52.027225 [ client_ws_0001 ] getNewChild: No available child. Sending spawn request to forkit and failing.                        
wsd-00020-03 00:00:52.031579 [ client_ws_0001 ] getNewChild: Have 0 children, forking 1
wsd-00020-03 00:00:52.034723 [ client_ws_0001 ] MasterToForKit: spawn 1                                                                              
wsd-00020-03 00:00:52.039320 [ client_ws_0001 ] Writing to pipe. Data: [spawn 1].                                                                    
frk-00029-00 00:00:49.841115 [ loolforkit ] readFIFO for pipe: wsd_pipe_rd returned: 8                                                               
frk-00029-00 00:00:49.842636 [ loolforkit ] Read line from pipe: wsd_pipe_rd, line: [spawn 1], data: [].                                             
frk-00029-00 00:00:49.844773 [ loolforkit ] ForKit command: [spawn 1].                                                                               
frk-00029-00 00:00:49.848522 [ loolforkit ] Spawning 1 child per request.                                                                            
frk-00029-00 00:00:49.852312 [ loolforkit ] Creating 1 new child.                                                                                    
frk-00029-00 00:00:49.856471 [ loolforkit ] Forking a loolkit process.                                                                               
frk-00029-00 00:00:49.868595 [ loolforkit ] Forked kit [79].                                                                                         
kit-00079-00 00:00:49.877390 [ loolforkit ] Initializing kit                                                                                         
kit-00079-00 00:00:49.886394 [ loolforkit ] Log level is [8].                                                                                        
kit-00079-00 00:00:49.890521 [ loolkit ] Process started.                                                                                            
kit-00079-00 00:00:49.895058 [ loolkit ] Jail path: /opt/lool/child-roots/79/                                                                        
kit-00079-00 00:00:49.901287 [ loolkit ] symlink("../lo","/opt/lool/child-roots/79/opt/collaboraoffice5.1")                                          
kit-00079-00 00:00:50.068707 [ loolkit ] link("/opt/collaboraoffice5.1/CREDITS.fodt","/opt/lool/child-roots/79/lo/CREDITS.fodt") failed. Exiting. (e$
rno: Operation not permitted)                                                                                                                        
frk-00029-00 00:00:50.878230 [ loolforkit ] Child 79 has exited, removing its jail '/opt/lool/child-roots/79'                                        
wsd-00020-03 00:00:56.067237 [ client_ws_0001 ] getNewChild: No live child, forking more.                                                            
wsd-00020-03 00:00:56.067418 [ client_ws_0001 ] getNewChild: No available child. Sending spawn request to forkit and failing.                        
wsd-00020-03 00:00:56.067481 [ client_ws_0001 ] getNewChild: Have 0 children, forking 1                                                              
wsd-00020-03 00:00:56.067530 [ client_ws_0001 ] MasterToForKit: spawn 1                                                                              
wsd-00020-03 00:00:56.067579 [ client_ws_0001 ] Writing to pipe. Data: [spawn 1].

So one small step closer but still so far away from the solution

@koehn
You use Ubuntu 14.04?

Known problems:
This docker image does not work on Ubuntu 14.04 LTS, because Ubuntu 14.04 LTS has missing kernel compile option CONFIG_AUFS_XATTR=y, which is leading to setcap not working on docker’s aufs storage. Upstream bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1557776

So after messing around with AppArmor, SecComp and iptables for days, this hint also helped me with Ubuntu 16.04 Xenial, since Kernels before Ubuntu-4.4.0-22.38 on Xenial were also affected by the AUFS problem. I’m using Ksplice Uptrack to avoid reboots and was still running 4.4.0-21…

So for people running Xenial: make sure to have a current Kernel! Afterwards, I did not need to turn off AppArmor or do anything else besides what is described in the official guide.

Thanks for that tip @accolon. I was running Debian 8.5 and couldn’t get it to work. I then created a new VM running Ubuntu 16.04 Xenial (running kernel 4.4.0-31-generic). Done the same installation steps as I did before and now Collabora is working.

Guess sometimes you do have to get the correct OS to get something working.

There is one thing that isn’t working normally, the menu top left is not showing when clicking on ‘Office’, only when clicking on the logo it goes to the main page. I will open a new topic for it

I also had the issue about symlinking etc, i resolved it updating to kernel 4.6 (debian jessie).
Now I have an other problem:
kit-02288-04 00:46:00.612950 [ kit_queue_0011 ] Failed to load: file:///user/docs/2288/Nuovo%20foglio_elettronico.ods, error: loadComponentFromURL returned an empty reference
kit-02288-04 00:46:00.613279 [ kit_queue_0011 ] Failed to get LoKitDocument instance.

Upgrading my kernel (from 3.16 to 4.6) also fixed it for me (Debian 8.5)

I found that libreoffice online asks wopi urls adding “?encoding=text” to the url.
This ofcourse invalidate the token (the original url is https://cloud…etc/etc/etc?access_token=), so I manually fixed richdocuments app code using a $token = str_replace("?encoding=text", “”, $token);… Now it works

I moved my temp VM (which was working with Collabora) to my main domain, but now it fails again. From the docker output I get the following error:

wsd-00020-05 00:02:46.762424 [ client_ws_0002 ] WOPI::CheckFileInfo header for URI [https://cloud.<domain>.uk/apps/richdocuments/wopi/files/32?access_token=SHFfuiR1rzJw9HjDKP3FrIDkforxQTbb]:
        Date: Sun, 24 Jul 2016 20:47:02 GMT /   Server: Apache/2.4.18 (Ubuntu) /        Strict-Transport-Security: max-age=15768000; includeSubDomains; preload /    Expires: Thu, 19 Nov 1981 08:52:00 GMT /        Cache-Control: no-cache, must-revalidate /      Pragma: no-cache /      Content-Security-Policy: default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' /     Content-Length: 32 /    X-Content-Type-Options: nosniff /       X-XSS-Protection: 1; mode=block /       X-Robots-Tag: none /         X-Frame-Options: SAMEORIGIN /   X-Download-Options: noopen /    X-Permitted-Cross-Domain-Policies: none /       Content-Type: applica
tion/json; charset=utf-8 /      Set-Cookie: nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict /  Set-Cookie: nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax /   Set-Cookie: oc_sessionPassphrase=qa3q2rujbYasXeyd7Xtz%2FE3ZFkjw4VRwMU00mJUWf%2FRfwP4HdjUPbtvflJvIcGXaimUj1dWZ5VbXGaJU7ghId1j3dvgvQRklJ7%2BqDsfvvLnkOwut6aw0YGBSu1kCH0iq; p
ath=/; secure; httponly /       Set-Cookie: occ3bgzu13dp=b89bi7h3djt60hpbe5pvdqhn24; path=/; HttpOnly /         Connection: close /
wsd-00020-05 00:02:46.762637 [ client_ws_0002 ] WOPI::CheckFileInfo returned: {"message":"App is not enabled"}
wsd-00020-05 00:02:46.783261 [ client_ws_0002 ] ~DocumentBroker [https://cloud.<domain>.uk/apps/richdocuments/wopi/files/32?access_token=SHFfuiR1rzJ
w9HjDKP3FrIDkforxQTbb] destroyed with 0 sessions left.
wsd-00020-05 00:02:46.787713 [ client_ws_0002 ] ~ChildProcess dtor [184].
kit-00184-00 00:02:45.275424 [ loolkit ] Connection closed.

Now I am unclear why this is happening, since I only changed the domains used in Apache (separate VM) towards NC and Collabora. And changed the details in NC config to reflect the main domain.

Hi,

How do you do to upgrade to kernel 4.16? I try this but the kernel I installed doesn’t work with docker May be I don’t foudn the good kernel

I’m running the docker image on ubuntu 16.04 with the latest kernel. I’m getting the same error and my logs shows the following before the connection is refused

wsd-00020-05 00:00:28.352565 [ client_ws_0002 ] WOPI host is not on the same host as the WOPI client: “52.205.196.197”. Connection is not allowed.

Hi,

I have the same problem of a lot of people: when I open a document I have the message “We are sorry, this is an unexpected connection error. Please try again.”.

Here is my docker logs when the document is opened:

kit-00085-00 00:00:51.892720 [ loolkit ] Process started.
kit-00085-00 00:00:51.892951 [ loolkit ] Jail path: /opt/lool/child-roots/85/
kit-00085-00 00:00:51.893684 [ loolkit ] symlink("…/lo","/opt/lool/child-roots/85/opt/collaboraoffice5.1")
kit-00085-00 00:00:52.052085 [ loolkit ] link("/opt/collaboraoffice5.1/LICENSE","/opt/lool/child-roots/85/lo/LICENSE") failed. Exiting. (errno: Operation not permitted)
frk-00031-00 00:00:52.893093 [ loolforkit ] Child 85 has exited, removing its jail '/opt/lool/child-roots/85’
wsd-00022-10 00:00:55.833810 [ loolwsd ] Total memory used: 200752
wsd-00022-03 00:00:56.537906 [ client_ws_0001 ] getNewChild: No live child, forking more.
wsd-00022-03 00:00:56.538015 [ client_ws_0001 ] getNewChild: Timed out while waiting for new child.
wsd-00022-03 00:00:56.538063 [ client_ws_0001 ] Failed to get new child. Service Unavailable.
wsd-00022-03 00:00:56.538407 [ client_ws_0001 ] ClientRequestHandler::handleRequest: WebSocketErrorMessageException: Service is unavailable. Please try again later and report to your administrator if the issue persists.
wsd-00022-03 00:00:56.538929 [ client_ws_0001 ] Thread finished.
wsd-00022-00 00:00:56.679420 [ loolwsd ] MasterToForKit: spawn 1
wsd-00022-00 00:00:56.679516 [ loolwsd ] Writing to pipe. Data: [spawn 1].
frk-00031-00 00:00:56.026374 [ loolforkit ] readFIFO for pipe: wsd_pipe_rd returned: 8
frk-00031-00 00:00:56.026484 [ loolforkit ] Read line from pipe: wsd_pipe_rd, line: [spawn 1], data: [].
frk-00031-00 00:00:56.026553 [ loolforkit ] ForKit command: [spawn 1].
frk-00031-00 00:00:56.026633 [ loolforkit ] Spawning 1 child per request.
frk-00031-00 00:00:56.026721 [ loolforkit ] Creating 1 new child.
frk-00031-00 00:00:56.026784 [ loolforkit ] Forking a loolkit process.
frk-00031-00 00:00:56.032659 [ loolforkit ] Forked kit [90].
kit-00090-00 00:00:56.033241 [ loolforkit ] Initializing kit
kit-00090-00 00:00:56.033428 [ loolforkit ] Log level is [8].
kit-00090-00 00:00:56.033581 [ loolkit ] Process started.
kit-00090-00 00:00:56.033891 [ loolkit ] Jail path: /opt/lool/child-roots/90/
kit-00090-00 00:00:56.034586 [ loolkit ] symlink("…/lo","/opt/lool/child-roots/90/opt/collaboraoffice5.1")
kit-00090-00 00:00:56.195244 [ loolkit ] link("/opt/collaboraoffice5.1/LICENSE","/opt/lool/child-roots/90/lo/LICENSE") failed. Exiting. (errno: Operation not permitted)
frk-00031-00 00:00:57.033940 [ loolforkit ] Child 90 has exited, removing its jail ‘/opt/lool/child-roots/90’

In the javascript console, I have also the error:

leaflet-src.js (ligne 2839, col. 1)TypeError: doclayer is undefined

Can you help me to resolv the problem?

Thank you in advance
Floreal.

@rigrig how did you get docker to work. When I upgrade to 4.6 kernel it fails stating:

Jul 25 11:36:53 lenz docker[645]: time="2016-07-25T11:36:53.326947364+01:00" level=error msg="[graphdriver] prior storage driver \"aufs\" failed: driver not supported"
Jul 25 11:36:53 lenz docker[645]: time="2016-07-25T11:36:53.333684373+01:00" level=fatal msg="Error starting daemon: error initializing graphdriver: driver not supported"
Jul 25 11:36:53 lenz systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
Jul 25 11:36:53 lenz systemd[1]: Unit docker.service entered failed state.

I am running docker 1.11.2-0~jessie

EDIT: I was able to get it to run again by running rm -rf /var/lib/docker/aufs and then start the docker service again

So after upgrading the kernel under Debian to 4.6 I am still stuck on the same step as before:

wsd-00020-05 00:02:46.762424 [ client_ws_0002 ] WOPI::CheckFileInfo header for URI [https://cloud..uk/apps/richdocuments/wopi/files/32?access_token=SHFfuiR1rzJw9HjDKP3FrIDkforxQTbb]:
Date: Sun, 24 Jul 2016 20:47:02 GMT / Server: Apache/2.4.18 (Ubuntu) / Strict-Transport-Security: max-age=15768000; includeSubDomains; preload / Expires: Thu, 19 Nov 1981 08:52:00 GMT / Cache-Control: no-cache, must-revalidate / Pragma: no-cache / Content-Security-Policy: default-src ‘none’;script-src ‘self’ ‘unsafe-eval’;style-src ‘self’ ‘unsafe-inline’;img-src ‘self’ data: blob:;font-src ‘self’;connect-src ‘self’;media-src ‘self’ / Content-Length: 32 / X-Content-Type-Options: nosniff / X-XSS-Protection: 1; mode=block / X-Robots-Tag: none / X-Frame-Options: SAMEORIGIN / X-Download-Options: noopen / X-Permitted-Cross-Domain-Policies: none / Content-Type: applica
tion/json; charset=utf-8 / Set-Cookie: nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict / Set-Cookie: nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax / Set-Cookie: oc_sessionPassphrase=qa3q2rujbYasXeyd7Xtz%2FE3ZFkjw4VRwMU00mJUWf%2FRfwP4HdjUPbtvflJvIcGXaimUj1dWZ5VbXGaJU7ghId1j3dvgvQRklJ7%2BqDsfvvLnkOwut6aw0YGBSu1kCH0iq; p
ath=/; secure; httponly / Set-Cookie: occ3bgzu13dp=b89bi7h3djt60hpbe5pvdqhn24; path=/; HttpOnly / Connection: close /
wsd-00020-05 00:02:46.762637 [ client_ws_0002 ] WOPI::CheckFileInfo returned: {“message”:“App is not enabled”}
wsd-00020-05 00:02:46.783261 [ client_ws_0002 ] ~DocumentBroker [https://cloud..uk/apps/richdocuments/wopi/files/32?access_token=SHFfuiR1rzJ
w9HjDKP3FrIDkforxQTbb] destroyed with 0 sessions left.
wsd-00020-05 00:02:46.787713 [ client_ws_0002 ] ~ChildProcess dtor [184].
kit-00184-00 00:02:45.275424 [ loolkit ] Connection closed.
wsd-00020-04 00:02:46.070602 [ client_ws_0001 ] ClientRequestHandler::handleRequest: BadRequestException: Invalid URI or access denied.

It is unclear to me why it states “App is not enabled”. When I check the URL in the first line manually I do get the following output:

{"BaseFileName":"New Spreadsheet.ods","Size":7130,"Version":"0"}

Does the “HttpOnly” element have any influence on it, since all communication is done via HTTPS?

After upgrading to kernel 4.6 i also changed the docker storage driver (from aufs to overlay).
And remember that if you change it you will lose al the images you have built.

I’m just wondering does the server have to be running on the same host as the client even if it’s on a different subdomain?