Iāve installed Collabora Online on a debian buster LXC unprivilegend container mostly following NextCloud info in https://nextcloud.com/collaboraonline/; loolwsd start as expected, Nextclud connect to the instance but when i try to open a document i got:
You are not the only one who has tried to run in an unprivileged container, I tried too using Proxmox just like you. But unprivileged containers should remain as they are, I donāt like to loosen security further than needed, just for the sake of the lower footprint.
So I ended up with a KVM VM instead of a container. Some more overhead , but more secure and Iām happy with it.
ā¦but the ādefaultā distribution for Collabora Online is the docker container, and i donāt think that a docker container and an LXC container differ too muchā¦
Not every container is the same. You could say that docker is more made for applications containers and lxc (in proxmox) is made for system containers:
Quote form Linux Container - Proxmox VE
Our primary goal is to offer an environment that provides the benefits of using a VM, but without the additional overhead. This means that Proxmox Containers can be categorized as āSystem Containersā, rather than āApplication Containersā.
[image] If you want to run application containers, for example, Docker images, it is recommended that you run them inside a Proxmox Qemu VM. This will give you all the advantages of application containerization, while also providing the benefits that VMs offer, such as strong isolation from the host and the ability to live-migrate, which otherwise isnāt possible with containers.
Surely docker and LXC container are different things, but AFAIK they are based on the same things, eg CGroups and so on.
In Proxmox thereās a way to ārelaxā capability and security feature built around containerization. But looking at logs, it is not clear what loolwsd do. Surely it call āloolmountā to (bind)mount some dir, but apart thatā¦
Thereās some techincal docs that explain what loolwsd do? Or someone can point me to a piece of code where i can get this information?
It is hard to understand and so, possibly, solve a problem if thereās little or no clueā¦
Although Iām not in favor of weakening the default container security, Iām happy to guide you a bit.
Iām not sure if this discussion should take place here, because the issues you are having are not Nextcloud related, rather Collabora/Libreoffice Online in combination with Proxmox/LXC. So perhaps itās better to discuss these technical details in their communities and when interesting linking them here.
Guidance for Proxmox:
I saw that you posted the question on the proxmox mailing list, maybe you should just post it in the proxmox forum [1]. In my opinion the people on the pve-user mailing list are mostly people using it in production for their business, and to be honest this topic tends a bit to tinkering, so maybe you wonāt get an answer there.
In the forums you will find a lot of people tinkering, so I think you will get advice there soon enough. (proxmox staff is on the forums too).
I donāt have experience myself with dropping linux capabilities inside the containers, but probably that could be the way to get it working, although you mention that you already tried some with caps. Perhaps this [2] is an example to drop the security far enough, but be aware what that means for your host and other containers/vmās. man lxc.container.conf man capabilities
Guidance for Collabora/Libreoffice online:
You could try their mailing lists or IRC here [3] and ask them what the requirements are to get it running inside lxc.
Also you could look at the code, the official repo is here [4], or a github mirror for easier search here [5]
Your clue is /usr/bin/loolmount
When searching for loolmount I found these files [6] and [7] interesting.
Surely it is a LOO/PVE trouble, but (also looking at your link [3] Iāve not found specific support (forum, mailing list, ā¦) for LOO. ;-(
Thanks for the links. Iāve effectively tried (ithink most but surely not all) combination of caps, but for the most container does not start, for other nothing change (eg, LOO does not work).
The thing that seems have some sort of effect are settings in loolwds.xml file false, meaning that setting that at least the phisical PVE server does not complain anymore that the container are doing something nasty, but does not work (same errors about mounting).
Hi @nextnoci , I am running LXD/LXC installed via snap so all of my config items for LXD are in /nsap/lxd/ā¦ so I am having trouble trying out your solution.
It seems like we are supposed to be editing LXD Container configurations using the
lxc config edit <container_name> command with brings up the config in an editor and does a validation check when saving (much like visudo error checks before saving).
I have tried editing in many of these suggestions but they donāt seem to stick.
Have you ever used the ubuntu snap environment?
My nextcloud container config looks like this when I use the edit suggested command
GNU nano 4.8 /tmp/lxd_editor_3106367835.yaml ### This is a YAML representation of the configuration.
### Any line starting with a '# will be ignored.
###
### A sample configuration looks like:
### name: instance1
### profiles:
### - default
### config:
### volatile.eth0.hwaddr: 00:16:3e:e9:f8:7f
### devices:
### homedir:
### path: /extra
### source: /home/user
### type: disk
### ephemeral: false
###
### Note that the name is shown but cannot be changed
architecture: x86_64
config:
image.architecture: amd64
image.description: ubuntu 22.04 LTS amd64 (release) (20230107)
image.label: release
image.os: ubuntu
image.release: jammy
image.serial: "20230107"
image.type: squashfs
image.version: "22.04"
volatile.base_image: ed7509d7e83f29104ff6caa207140619a8b235f66b5997f1ed6c5e462617fb71
volatile.cloud-init.instance-id: d6d4773f-cf7a-4ef3-8cc3-15b3a40b31cb
volatile.eth0.hwaddr: 00:16:3e:52:54:dd
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":> volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":100> volatile.last_state.idmap: '[]'
volatile.last_state.power: STOPPED
volatile.last_state.ready: "false"
volatile.uuid: bcd84bdb-461c-46bb-94a5-1e2a9fec28bc
devices: {}
ephemeral: false
profiles:
- default
stateful: false
description: ""
created_at: 2023-01-19T13:49:01.102494553Z
name: nextcloud
status: Stopped
status_code: 102
last_used_at: 2023-01-20T15:17:29.808026539Z
location: none
type: container
project: nextcloud