Couple more things I wanted to add. Iâm not sure how many people check these forums however the forums were invaluable to me when spending hours trying to get things up and working
References (Source of information â along with some Google-Fu):
-
Setting up and configuring collabora/code Docker image - Collabora Office and Collabora Online
-
Integrate Collabora Online with Nextcloud on Ubuntu with Docker
-
Collabora Online Development Edition (CODE) - Collabora Office and Collabora Online
Instructions Applicable only if trying to run the collabora docker plugin. I didnât build collobora from scratch, so some if the information presented below probably isnât going to be relevant, however salient points probably could be inferred.
Useful commands:
sudo docker ps <----- Shows status of docker
sudo docker stop <container id> <----- Stops docker container given either ID/container name
sudo docker start <container id> <------Starts docker container given either ID/container
sudo docker rm <container id> <--------Use this command if container fails to start or you just really get stuck. (I had to use this command a lot)
sudo docker logs <container id> or
sudo docker logs --tail 50 --follow --timestamps <container id> <âUseful to see whatâs going on with your docker instance if something isnât working.
docker exec -it <container id> /bin/bash <âCommand to get terminal prompt within docker container. Filesystem is mounted read-only, so its helpful to view files, but its also possible to change the ownership of files.
When starting up the container, this is command I used:
sudo docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --sysctl net.ipv6.conf.default.disable_ipv6=1 -t -d -p 9980:9980 -e âdomain=nextcloud\.domain\.comâ --name=âjaxâ -e âusername=adminâ -e âpassword=dockercolâ --mount type=bind,src=/etc/letsencrypt,target=/etc/letsencrypt,readonly --restart always --cap-add MKNOD collabora/code
Explanation
âsysctl net.ipv6.conf.all.disable_ipv6=1 Ensures ipv6 is disabled
âsysctl net.ipv6.conf.default.disable_ipv6=1 Ensures the ipv6 service is disabled when restarting. Both these lines were included based on prior suggestions contained within this thread to disable ipv6
-p 9980:9980 - Based on my setup I wanted to bind dockers listening port 9980 to the machines listening port for all incoming address. Most documentation is going to tell you to do -p 127.0.0.1:9980:9980. This variant is fine if if the docker collabora instance is being run on the same machine as the apache/ngnix webserver. In my situation however my collabora instance is running within a VM within the LAN on a different server
-name=âjaxâ - You can choose any name here however I set this parameter so the container is always started/stopped etc with the same name. In my example used below my <container id>=jax Makes it a lot easier to troubleshoot if container is always loaded and started with same id
-e âusername=<ANYNAME>â , -e âpassword=<ANYPASS>â â Only need these parameters if wanting to use the collabora admin console â I used this definitely for debugging. If I could reach the admin console, I knew that at least the container was able to startup and I could read for basic uinput . The admin console is going to be reached at:
https://<codebase>/loleaflet/dist/admin/admin.html
<codebase> refers to the URL of the machine that the collabora docker container is running. If this is on the same machine as the nextcloud instance, the codebase name will probably be something like nextcloud.domain.com. If the collabora docker image is being run on a different machine, than the URL needs to be name a URL with a valid SSL cert.
â Side Note: If routing to a different machine on the LAN, I named a LAN machine office.domain.com, (I appended this subdomain to my main domain LetsEncrypt certificate â Instructions: User Guide â Certbot 2.7.0.dev0 documentation and look for section with example: certbot certonly --cert-name example.com -d example.org,www.example.org). In routing to this internal LAN machine (which is actually a FreeNAS ubuntu VM), I modified the /etc/host file of the machine running apache/nextcloud to map office.domain.com to the internal LAN address of the VM. This negated me needing to run a local DNS server or expose port 9980 to the WAN. Depending on your setup, this may or may not be needed.
âmount type=bind,src=/etc/letsencrypt,target=/etc/letsencrypt,readonly
This command is totally optional however all my certificates are kept in one directory on a local machine. The other machines that need access to these certificates either mount the directory within a jail type structure (if using FreeNAS/BSD), or within a NFS share. I share the SSL certificate directory whereby the directories are mounted as read-only for those machines needing access. My setup is so when I renew my certs, the certs are all renewed in one directory and then the shares are automatically updated as well. This is just one strategy for sharing certs among different machines. These certs must be available as well to docker collabora container. (See discussion below regarding the loolwsd.xml file).
ârestart always - Docker will restart the machine automatically if machine goes down or experiences error. (usually the behavior you want unless your modifying the contents of the container â see below in the discussion regarding the certificates).
My docker collabora container is started with these parameters as discussed aboive , however additional parameter are contained within a file named loolwsd.xml which is owned by lool:lool (More in this in a minute). This file is located within the container itself within the /etc/loolwsd directory. In many cases its vary useful to get a terminal prompt within the docker container to inspect various files such as loolwsd.xml for debugging purposes.
Although it possible to start the collabora docker container with most of the default settings, in many cases additional settings need to be tweaked in order for the container to work. Container settings are either passed on the command line (which takes precedence) or read from a global configuration file known as loolwsd.xml.
To modify the loolwsd.xml file I first needed to copy the file from the container (I ran this under the root user or with sudo)
docker cp <container id>:/etc/loolwsd/loolwsd.xml loolwsd.xml <âCopies the config file from docker container to local file
As root user its possible to edit the file (vi, nano, any other editor) and make changes to the various fields. In regards to the LetsEncrypt SSL certs (which were mounted as above), I modified this file like this:
<ssl desc="SSL settings"> <enable type="bool" desc="Controls whether SSL encryption is enable (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable> <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination> <cert_file_path desc="Path to the cert file" relative="false">/etc/letsencrypt/live/domain.com/cert.pem</cert_file_path> <key_file_path desc="Path to the key file" relative="false">/etc/letsencrypt/live/domain.com/privkey.pem</key_file_path> <ca_file_path desc="Path to the ca file" relative="false">/etc/letsencrypt/live/domain.com/chain.pem</ca_file_path> <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list> <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false"> <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age> <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri> <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned"> <pin></pin> </pins> </hpkp> </ssl>
Additional settings can be added or removed as many other usser have suggested within this thread. Please take a look at the file to familiarize yourself with the various options.
The configuration file needs to be written back to the container. The original ownership of the loolwsd.xml file was lool:lool and modifications were done under the root user (root:root). You can not directly cp the file into the container because permissions will not be correct (Documentation of this fact would have save me hours of debugging!!). In order to correctly cp the xml file back to the container do the following:
- Stop the container - sudo docker stop <container id>
- Remove the container - sudo docker rm <container id>
- Restart the container (HOWEVER DO NOT START WITH THE --restart always flag) !!VERY IMPORTANT. For my setup the command would be:
sudo docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --sysctl net.ipv6.conf.default.disable_ipv6=1 -t -d -p 9980:9980 -e âdomain=nextcloud\.domain\.comâ --name=âjaxâ -e âusername=adminâ -e âpassword=dockercolâ --mount type=bind,src=/etc/letsencrypt,target=/etc/letsencrypt,readonly --cap-add MKNOD collabora/code
-
Copy the loolwsd.xml file back to the container:
sudo docker cp loolwsd.xml <container id>:/etc/loolwsd/loolwsd.xml -
Login into the container:
sudo docker exec -it <container id> /bin/bash -
Modify the ownership of the loolwsd.xml
chown lool:lool /etc/loolwsd/loolwsd.xml -
Exit the container with exit command
-
Stop and remove container
sudo docker stop <container id>
sudo docker rm <container id> -
Restart the container with the --restart always flag
sudo docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --sysctl net.ipv6.conf.default.disable_ipv6=1 -t -d -p 9980:9980 -e âdomain=nextcloud\.domain\.comâ --name=âjaxâ -e âusername=adminâ -e âpassword=dockercolâ --mount type=bind,src=/etc/letsencrypt,target=/etc/letsencrypt,readonly --restart always --cap-add MKNOD collabora/code
Unfortunately these 9 steps need to be repeated if the loolwsd.xml file would need any additional modifications or revisions. Itâs possible to pass the options to the container on the command line to avoid this step, however in my experience the syntax begins to become very difficult.
Hopefully this helps someone in the future. Sorry about the long post.