Nextcloud 12 and Collabora 5.3 Debian 8 native packages

Greetings!

A lot of time I’m not used NC with Collabora-Online (CODE), but now i must come back to them. Enterprise needs :). I’ve checked what’s new was with NC and CODE. I’m happy what NC changed to better side, but CODE…

Well, I found what CODE may be installed from repository by native Linux packages and i think: - “wow! that’s great!”. I’ve create two LXC Proxmox containers for testing with Debian 8, rewrites my NC installation bash script (for comfy install) and started installation…

NC was installed without any problems, works properly and fine. This was first LXC test container, if you want - “cloud0.mycompany.com”. Problems waiting me with CODE LXC container “office0.mycompany.com”…

First problem was Debian 8 container. I used info placed at that page. With sadness i’ve understands what I can’t install CODE for Debian 8 for some reasons, and i’ve created Ubuntu 16.04 LXC container. In that case installation was succsessful, but CODE hasn’t start! Loolwsd service crashes momentaly.

Was found some problems:

  • absent /var/log/loolwst.log file;
  • absent loolwsd certificates in /etc/loolwsd/ directory (with docker CODE image they always present);

I’ve placed certificates, and create log file (with changing owner on it to “lool” user, in another way service don’t starts), changed loolwst.xml config file and… Yeah! It’s started! But my happyness wasn’t long…

I’ve enabled CODE app in NC, nothing was wrong and i creates test file… File appears momentaly (usually if probles with CODE, files after creating doesn’t appears momentaly), i’ve clicked on in and… got nothing, besides gray screen and NC bar at the top of the page! \o/

Checked logs in NC, loolwsd, and hell know what else, but nothing found! All services runs fine, CODE admin console works properly, i’ve recieves ‘OK’ at “https://office0.mycompany.com:9980” address, but i can’t edit any document with CODE in NC =’(

What i’ve got with new CODE version…

I’ve try to create VM with Debian 8 and Docker inside it, but no result.

Any ideas?

ps./ little moment… i’ve got some info from loolwst log file:

Summary

]. (errno: Bad file descriptor)| common/IoUtil.cpp:200
wsd-00838-00838 14:46:17.811110 [ loolwsd ] WRN Waking up dead poll thread [websrv_poll], started: true, finished: true| ./net/Socket.hpp:507
wsd-00838-00838 14:46:17.811152 [ loolwsd ] WRN Waking up dead poll thread [websrv_poll], started: true, finished: true| ./net/Socket.hpp:507
wsd-00838-00838 14:46:17.811167 [ loolwsd ] WRN Waking up dead poll thread [prisoner_poll], started: true, finished: true| ./net/Socket.hpp:507
wsd-00838-00838 14:46:17.811174 [ loolwsd ] WRN Waking up dead poll thread [prisoner_poll], started: true, finished: true| ./net/Socket.hpp:507
wsd-00838-00838 14:46:17.848821 [ loolwsd ] WRN Waking up dead poll thread [main], started: false, finished: false| ./net/Socket.hpp:507
wsd-00838-00838 14:46:17.848845 [ loolwsd ] WRN Waking up dead poll thread [main], started: false, finished: false| ./net/Socket.hpp:507
wsd-00838-00838 14:46:17.849211 [ loolwsd ] WRN Waking up dead poll thread [admin], started: true, finished: true| ./net/Socket.hpp:507
wsd-00838-00838 14:46:17.849225 [ loolwsd ] WRN Waking up dead poll thread [admin], started: true, finished: true| ./net/Socket.hpp:507
frk-00859-00859 14:46:17.985604 [ forkit ] ERR Failed to set RLIMIT_NOFILE to 52428800 bytes. (errno: Operation not permitted)| common/Seccomp.cpp:273
wsd-00857-00857 14:46:17.937393 [ loolwsd ] ERR Failed to write to pipe. Data: [setconfig limit_virt_mem_mb 0
setconfig limit_stack_mem_kb 8000
setconfig limit_file_size_mb 50
]. (errno: Bad file descriptor)| common/IoUtil.cpp:200
wsd-00857-00865 15:58:00.095979 [ websrv_poll ] ERR FileServerRequestHandler::NotAuthenticated: No authentication information found| wsd/FileServer.cpp:254
wsd-00857-00865 15:58:06.804589 [ websrv_poll ] ERR FileServerRequestHandler::NotAuthenticated: No authentication information found: Invalid admin login| wsd/FileServer.cpp:254
wsd-00857-00865 15:58:14.878019 [ websrv_poll ] ERR FileServerRequestHandler::NotAuthenticated: No authentication information found: Invalid admin login| wsd/FileServer.cpp:254
wsd-00857-00865 15:58:19.343889 [ websrv_poll ] ERR FileServerRequestHandler::NotAuthenticated: No authentication information found: Invalid admin login| wsd/FileServer.cpp:254
wsd-00857-00866 16:01:51.522397 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:01:53.471404 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:01:55.119243 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:01:58.490586 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:02:00.550503 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:02:04.806881 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:02:06.304917 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:02:08.169604 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:06:54.847086 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:07:05.068479 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:07:08.240284 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:10:10.466702 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:10:25.136452 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00866 16:10:30.531917 [ admin ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00857-00857 16:29:22.537395 [ loolwsd ] WRN Waking up dead poll thread [websrv_poll], started: true, finished: true| ./net/Socket.hpp:507
wsd-00857-00857 16:29:22.537431 [ loolwsd ] WRN Waking up dead poll thread [websrv_poll], started: true, finished: true| ./net/Socket.hpp:507
wsd-00857-00857 16:29:22.537446 [ loolwsd ] WRN Waking up dead poll thread [prisoner_poll], started: true, finished: true| ./net/Socket.hpp:507
wsd-00857-00857 16:29:22.537453 [ loolwsd ] WRN Waking up dead poll thread [prisoner_poll], started: true, finished: true| ./net/Socket.hpp:507
wsd-00857-00857 16:29:22.601656 [ loolwsd ] WRN Waking up dead poll thread [main], started: false, finished: false| ./net/Socket.hpp:507
wsd-00857-00857 16:29:22.601686 [ loolwsd ] WRN Waking up dead poll thread [main], started: false, finished: false| ./net/Socket.hpp:507
wsd-00857-00857 16:29:22.602081 [ loolwsd ] WRN Waking up dead poll thread [admin], started: true, finished: true| ./net/Socket.hpp:507
wsd-00857-00857 16:29:22.602095 [ loolwsd ] WRN Waking up dead poll thread [admin], started: true, finished: true| ./net/Socket.hpp:507
frk-00223-00223 16:29:26.563890 [ forkit ] ERR Failed to set RLIMIT_NOFILE to 52428800 bytes. (errno: Operation not permitted)| common/Seccomp.cpp:273

1 Like

I have the same problem. What can I do to solve it?

I removed the docker container and did a new pull. But that didn’t work.

did you check the browser console (usually F12) to see if there is any errors ?

Thanks for it. I’ve recieved something

like that...

Refused to frame ‘https://office0.mycompany.com/loleaflet/160197f/loleaflet.html?WOPISrc=htt…09tqj&title=test.odt&lang=ru&closebutton=1&revisionhistory=1’ because it violates the following Content Security Policy directive: “frame-src https://office0.mycompany.com:9980”.

But i still can’t understand what to do =(

you can take a look to page it’s explained very well :
https://content-security-policy.com/
you have to add an header directive to your web conf depending on you web server (apache or nginx)
I suggest something like :
Header set Content-Security-Policy "frame-src *.mycompany.com;" for apache
add_header Content-Security-Policy "frame-src *.mycompany.com;"; for nginx

Hm… I’ve placed this to my Nextcloud apache config and Collabora/CODE interface now visible! But, i recieves error message: “Well, this is embarassing…”, something went wrong =/

Also getting this after pulling a new version of the container.

My log looks remarkably similar to the OP:
wsd-00026-00026 22:04:36.275672 [ loolwsd ] ERR Failed to write to pipe. Data:
[setconfig limit_virt_mem_mb 0
setconfig limit_stack_mem_kb 8000
setconfig limit_file_size_mb 50
]. (errno: Bad file descriptor)| common/IoUtil.cpp:200
frk-00028-00028 22:04:36.286851 [ forkit ] ERR Failed to set RLIMIT_NOFILE to 5
2428800 bytes. (errno: Operation not permitted)| common/Seccomp.cpp:273

I’m using RHEL 7.4.

I’m not using Docker image for Collabora/CODE, I’m using Debian 8 repository provided by Collabora team.

I need two LXC containers on my server, like different services: 1 - cloud; 2 - document editor. Cloud works fine, but Collabora… I don’t know what the hell is wrong with it! So disappointed in Collabora/CODE project =(

seems like the collabora packages are trying to set capabilities that are not permitted within LXC-Containers. This is what I get when installing the Debian packages within a Debian 9 LXC container:

Failed to set capabilities on file `/usr/bin/loolforkit' (Operation not permitted)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
Failed to set capabilities on file `/usr/bin/loolmount' (Operation not permitted)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file

Hence the start of the loolwsd service fails.

It is not only an LXC container nut also on an docker. The big question is how to solve it?

I reinstall the whole OS.

In the VPS I installed the packages of CODE and used ubuntu 16.04.

I used the instructions on https://www.collaboraoffice.com/code/ and as an proxy I used apache2.

The difficult side was that I need to find out what the correct setting where for loolwsd.xml.
I let <server_name> emty,
Within <storage desc=“Backend storage”> where default is localhost I used the name of the nextcloud hostname.

After that I needed to register again the collaboraoffice url in the nextcloud configuration, this way the nextcloud does a new discover on https://office.domain.nl/hosting/discovery

I still get the “ERR Failed to set RLIMIT_NOFILE to 52428800 bytes. (errno: Operation not permitted)| common/Seccomp.cpp:273” error but all works fine now.

The first time that I run CODE, i started CODE with the shell code from https://raw.githubusercontent.com/CollaboraOnline/Docker-CODE/master/scripts/start-libreoffice.sh

Also in the browser console I get an error that the X-Frame-Options was not on the SAMEORIGIN

I got the same problem as you … Did you manage to find a solution ???

Having the same issue as stated here with CODE. LXC environment:

Failed to set capabilities on file /usr/bin/loolforkit' (Invalid argument) The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file Failed to set capabilities on file/usr/bin/loolmount’ (Invalid argument)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file

I’m really surprised that this hasn’t been reported more, and that it hasn’t been fixed.

Anyone found a workaround?

My workaround for this is, from outside the lxc container, run setcap to set the appropriate permissions on the executables inside the container. I use ZFS for my container filesystems, and the root fs of each container is under /var/lib/lxd/containers. So I do:

sudo setcap cap_sys_admin=ep /var/lib/lxd/containers/CONTAINER_NAME/rootfs/usr/bin/loolmount
sudo setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /var/lib/lxd/containers/CONTAINER_NAME/rootfs/usr/bin/loolforkit

That avoids a crash when loolwsd starts and attempts to check capabilities. Unfortunately, it doesn’t actually allow loolforkit to use mknod within the container. It appears that when loolwsd starts and whenever it opens a file, it creates a chroot environment in a sub-directory of /opt/lool/child-roots. The sub-directories are created with an automatically generated name, so it it is unpredictable what they will be called. Within those chroot environments, loolforkit attempts to mknod /dev/random and /dev/urandom, but fails.

To work around this, I wrote a script to run on the host that creates those nodes every time a new sub-directory appears in /opt/lool/child-roots. It uses inotify tools to watch the directory and whenever a subdirectory appears, it creates the nodes and changes their ownership to the container’s root (i.e., 100000).

#!/bin/bash

if [ -z "$1" ]; then
        exit 1
fi

DIR=/var/lib/lxd/containers/$1/rootfs/opt/lool/child-roots
while RES=$(inotifywait -e create $DIR); do
  F=${RES#?*CREATE,ISDIR }
  sleep 1
  mknod $DIR/$F/dev/random c 1 8
  mknod $DIR/$F/dev/urandom c 1 9
  chown 100000:100000 $DIR/$F/dev/*
done

exit 0
1 Like