[SOLVED] Collabora online office not working for me (using docker container)

chrroessner · March 28, 2017, 12:50pm

I installed collabora online office as described on the nextcloud side.

First, I tried to use nginx with several different configs I found here in the forum, second I installed apache as well and configured office.roessner-net.de on port 8443 there.

Here is my current apache config:

<IfDefine SSL>
<IfModule ssl_module>

<IfDefine XML2ENC>
LoadModule xml2enc_module modules/mod_xml2enc.so
</IfDefine>

Listen 8443

<VirtualHost 134.255.226.244:8443>
ServerName office.roessner-net.de
ErrorLog /var/log/apache2/ssl_error_log

<IfModule log_config_module>
	TransferLog /var/log/apache2/ssl_access_log
</IfModule>

# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/office.roessner-net.de/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/office.roessner-net.de/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/office.roessner-net.de/privkey.pem
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on

# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool https://127.0.0.1:9980/lool
ProxyPassReverse    /lool https://127.0.0.1:9980/lool

</VirtualHost>
</IfModule>
</IfDefine>

# vim: ts=4 filetype=apache

My nextcloud installation runs under https://roessner-net.de/nextcloud. I started collabora like this:

#!/bin/bash
docker pull collabora/code

docker run -t -d \
-p 127.0.0.1:9980:9980 \
-e 'domain=roessner-net\\.de' \
--restart always \
--cap-add MKNOD \
--name collabora \
-e "username=..." -e "password=..." \
collabora/code

exit 0

When trying to open a odt document, the web user interface of collabora gets loaded and I see connecting. After a moment I receive an error that it could not load the document.

Running the docker container in foreground, I see these messages:

./collabora.sh
Using default tag: latest
latest: Pulling from collabora/code
Digest: sha256:7abe64fbc35fd83e23585ad430f56197323753a00b8f919b2dcd95066a513e32
Status: Image is up to date for collabora/code:latest
Generating RSA private key, 2048 bit long modulus
..........................................+++
......................................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
............................................................................................................+++
..............................+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.4 - 2.0.4
wsd-00026-0029 12:47:55.799689 [ client_req_hdl ] WRN  WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:255
wsd-00026-0030 12:47:56.392413 [ client_ws_0003 ] WRN  getNewChild: No available child. Sending spawn request to forkit and failing.| wsd/LOOLWSD.cpp:422
wsd-00026-0030 12:48:01.392975 [ client_ws_0003 ] WRN  getNewChild: No available child. Sending spawn request to forkit and failing.| wsd/LOOLWSD.cpp:447
wsd-00026-0030 12:48:01.393144 [ client_ws_0003 ] WRN  getNewChild: No available child. Sending spawn request to forkit and failing.| wsd/LOOLWSD.cpp:422
wsd-00026-0030 12:48:01.774287 [ client_ws_0003 ] ERR  Error in client request handler: Connection refused| wsd/LOOLWSD.cpp:1038
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.1", "ProductExtension": ".10.21", "BuildId": "e91d2c2d59b035e40bdefac5fe06fb210180ed86" }
wsd-00026-0032 12:48:01.891153 [ client_ws_0005 ] ERR  Error in client request handler: Connection refused| wsd/LOOLWSD.cpp:1038
wsd-00026-0031 12:48:01.893142 [ client_ws_0004 ] ERR  Error in client request handler: Connection refused| wsd/LOOLWSD.cpp:1038

Unfortunately I have no idea, what these errors mean. Also searching here on the forum and with Google, I was not able to solve this problem.

This is my first-time usage for CODE.

I really thank you for any hint that you could give to me.

Thanks in advance

Christian

Ark74 · March 28, 2017, 5:10pm

are you using code on a separated box than the server?

Is it a local VM? or a VPS?

chrroessner · March 29, 2017, 9:34am

It was iptables that blocked the communication between localhost and docker.

Ark74 · March 29, 2017, 3:09pm

Oh, great you figure it out.

victorbw · April 4, 2017, 11:25am

can you please tell us what was wrong on with your iptables?

chrroessner · April 4, 2017, 12:34pm

yes

I use shorewall and defined a dock-zone. In the policy I rejected access from that zone to the local firewall. That was the reason why the docker container could not access the files from nextcloud. I changed the policy, so the dock-zone has full access.

If you gus can tell me which TCP ports it exactly needs, I would shrink the access rules to these.

Thanks

victorbw · April 4, 2017, 12:55pm

thank you for your response.

the docker image usually uses the tcp-prot 9980, depends on what port you start your docker-image:

docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=nc11\.domain\.ch’ --restart always --cap-add MKNOD collabora/code

chrroessner · April 4, 2017, 1:08pm

Doesn’t it do active connections from inside the docker container to the ouside? To the nextcloud server?

victorbw · April 4, 2017, 1:22pm

as far as i know, yes, in both directions.

but probably somebody knows more about docker than i do, im nor really an expert when it comes to docker - all im trying to do is giving you a hand

chrroessner · April 4, 2017, 1:34pm

Thanks

It currently works for me (very well). So there is not really a “need” of tweaking my iptables any further.

victorbw · April 5, 2017, 8:59am

nonetheless, would you mind to post your collabora-related ip-tables, just for users who might have the same issue (to check their values with yours)?

only post non-critical stuff - black them out

chrroessner · April 5, 2017, 9:13am

Well, as said above: I am using shorewall. So I can not paste the full iptables list here. If you use shorewall, you will know about the “policy” file. It requires something like

dock $FW ACCEPT

where “dock” is the zone name and assigned to interface docker0.

It would be better to have the policy set to REJECT or DROP and define exceptions in the “rules” file, but I do not know, which connections the container is doing to $FW. So currently I have to allow all traffic. Not optimal, but working.

That’s all

victorbw · April 5, 2017, 9:16am

Thank you, this might be a great help for further investigation