ERR Failed to load: file:///user/docs/nXqzbaME0Cw3450N/About.odt, error: loadComponentFromURL returned an empty reference| kit/Kit.cpp:1484

[greg0r]

I try to connect nextcloud running on server1 with CODE 3 running on server2. Opening a document gives me the CODE menu but then I get a message which says that the document could not be loaded.

Versions Collabora Office 5.3.10.36 Build bb5e55d407c013b5b59459d9551268924cd7f785 Nextcloud 12.04

Logs

wsd-00025-00034 23:45:41.797344 [ websrv_poll ] WRN  WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:471
wsd-00025-00038 23:45:42.552152 [ docbroker_001 ] WRN  Missing JSON property [WatermarkText]| wsd/Storage.cpp:421
wsd-00025-00038 23:45:42.552289 [ docbroker_001 ] WRN  Missing JSON property [HidePrintOption]| wsd/Storage.cpp:421
wsd-00025-00038 23:45:42.552356 [ docbroker_001 ] WRN  Missing JSON property [HideSaveOption]| wsd/Storage.cpp:421
wsd-00025-00038 23:45:42.552429 [ docbroker_001 ] WRN  Missing JSON property [HideExportOption]| wsd/Storage.cpp:421
wsd-00025-00038 23:45:42.552546 [ docbroker_001 ] WRN  Missing JSON property [EnableOwnerTermination]| wsd/Storage.cpp:421
wsd-00025-00038 23:45:42.552605 [ docbroker_001 ] WRN  Missing JSON property [DisablePrint]| wsd/Storage.cpp:421
wsd-00025-00038 23:45:42.552658 [ docbroker_001 ] WRN  Missing JSON property [DisableExport]| wsd/Storage.cpp:421
wsd-00025-00038 23:45:42.552706 [ docbroker_001 ] WRN  Missing JSON property [DisableCopy]| wsd/Storage.cpp:421
wsd-00025-00038 23:45:42.552793 [ docbroker_001 ] WRN  Missing JSON property [DisableInactiveMessages]| wsd/Storage.cpp:421
wsd-00025-00038 23:45:42.901448 [ docbroker_001 ] WRN  Attempted ping on non-upgraded websocket!| ./net/WebSocketHandler.hpp:280
kit-00032-00039 23:45:43.210406 [ lokit_001 ] ERR  Failed to load: file:///user/docs/nXqzbaME0Cw3450N/About.odt, error: loadComponentFromURL returned an empty reference| kit/Kit.cpp:1484
kit-00032-00039 23:45:43.211604 [ lokit_001 ] ERR  Failed to get LoKitDocument instance.| kit/ChildSession.cpp:363
kit-00032-00039 23:45:43.211793 [ lokit_001 ] WRN  Document::ViewCallback. Session [-1] is no longer active to process [STATUS_INDICATOR_START] [(nil)] message to Master Session.| kit/Kit.cpp:1799
kit-00032-00039 23:45:43.211824 [ lokit_001 ] WRN  Document::ViewCallback. Session [-1] is no longer active to process [STATUS_INDICATOR_SET_VALUE] [100] message to Master Session.| kit/Kit.cpp:1799
kit-00032-00039 23:45:43.211842 [ lokit_001 ] WRN  Document::ViewCallback. Session [-1] is no longer active to process [STATUS_INDICATOR_FINISH] [(nil)] message to Master Session.| kit/Kit.cpp:1799
wsd-00025-00038 23:45:43.334510 [ docbroker_001 ] ERR  Socket #22 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
wsd-00025-00038 23:45:43.334806 [ docbroker_001 ] ERR  Socket #22 SSL BIO error: error:140D00CF:SSL routines:SSL_write:protocol is shutdown (errno: Success)| ./net/SslSocket.hpp:273
wsd-00025-00038 23:45:43.335240 [ docbroker_001 ] WRN  ToClient-0002: Exception while closing socket for docKey [/apps/richdocuments/wopi/files/108_ocvfpdq3o6vh]: error:140D00CF:SSL routines:SSL_write:protocol is shutdown| wsd/ClientSession.cpp:919
kit-00032-00039 23:45:43.335366 [ lokit_001 ] WRN  Skipping unload on incomplete view.| kit/ChildSession.cpp:72
kit-00032-00039 23:45:43.335412 [ lokit_001 ] ERR  No socket associated with WebSocketHandler 0x0x136a1dd0| ./net/WebSocketHandler.hpp:100
wsd-00025-00038 23:45:43.857892 [ docbroker_001 ] ERR  #21: Wrote outgoing data -1 bytes. (errno: Broken pipe)| ./net/Socket.hpp:927
wsd-00025-00038 23:45:43.857974 [ docbroker_001 ] ERR  #21: Wrote outgoing data -1 bytes. (errno: Broken pipe)| ./net/Socket.hpp:927
wsd-00025-00026 23:45:43.858205 [ prisoner_poll ] WRN  Waking up dead poll thread [docbroker_001], started: true, finished: true| ./net/Socket.hpp:507
wsd-00025-00026 23:45:43.858244 [ prisoner_poll ] WRN  Waking up dead poll thread [docbroker_001], started: true, finished: true| ./net/Socket.hpp:507
wsd-00025-00026 23:45:43.858293 [ prisoner_poll ] WRN  Waking up dead poll thread [docbroker_001], started: false, finished: true| ./net/Socket.hpp:507
wsd-00025-00026 23:45:43.858313 [ prisoner_poll ] WRN  Waking up dead poll thread [docbroker_001], started: false, finished: true| ./net/Socket.hpp:507

Thank you for your great work, guys.

[spantaleev]

I'm hitting the same problem with the Docker image. I've tried collabora/code:3.4.0.8 and a few earlier versions.

At some point turning logging up to debug yielded a slightly more descriptive error:

[ lokit_002 ] ERR  Failed to load: file:///user/docs/J59M6usQHRz6Sv4E/About.odt, error: Unsupported URL <file:///user/docs/J59M6usQHRz6Sv4E/About.odt>: "type detection failed"| kit/Kit.cpp:1554

Still, I'm not sure how to proceed from it.

I've even tried building my own Docker image of Collabora Online, based on CentOS 7.5. I've confirmed things working on CentOS 7.5 in a VM, without Docker, so I tried replicating that setup as a container.. Unfortunately, I'm hitting the same exact problem with my own image too. For some reason it won't work in a container.

This is on Docker CE 18.06 with the overlay2 storage driver backed by an xfs filesystem. I'm starting the container with the root user and with --cap-add MKNOD. I even tried adding --privileged or --cap-add ALL, but to no avail. SELinux is completely disabled too.

[antiuser]

Same issue

Debian 9 Installed packages:

ii collaboraoffice5.3 5.3.10.61-61 amd64 Brand module for Collabora Office 5.3 -61 ii collaboraoffice5.3-ure 5.3.10.61-61 amd64 UNO Runtime Environment -61 ii collaboraofficebasis5.3-calc 5.3.10.61-61 amd64 Calc module for Collabora Office 5.3 -61 ii collaboraofficebasis5.3-core 5.3.10.61-61 amd64 Core module for Collabora Office 5.3 -61 ii collaboraofficebasis5.3-draw 5.3.10.61-61 amd64 Draw module for Collabora Office 5.3 -61 ii collaboraofficebasis5.3-en-us 5.3.10.61-61 amd64 Language module for Collabora Office 5.3, language en_US -61 ii collaboraofficebasis5.3-en-us-calc 5.3.10.61-61 amd64 Calc language module for Collabora Office 5.3, language en_US -61 ii collaboraofficebasis5.3-en-us-res 5.3.10.61-61 amd64 Language resource module for Collabora Office 5.3, language en_US -61 ii collaboraofficebasis5.3-extension-pdf-import 5.3.10.61-61 amd64 PDF import extension for Collabora Office 5.3 -61 ii collaboraofficebasis5.3-filter-data 5.3.10.61-61 amd64 Filter data for Collabora Office 5.3 -61 ii collaboraofficebasis5.3-graphicfilter 5.3.10.61-61 amd64 Graphic filter module for Collabora Office 5.3 -61 ii collaboraofficebasis5.3-images 5.3.10.61-61 amd64 Images module for Collabora Office 5.3 -61 ii collaboraofficebasis5.3-impress 5.3.10.61-61 amd64 Impress module for Collabora Office 5.3 -61 ii collaboraofficebasis5.3-noto-fonts 5.3.10.61-61 amd64 Google Noto fonts for Collabora Office 5.3 -61 ii collaboraofficebasis5.3-ooofonts 5.3.10.61-61 amd64 3rd party free fonts for Collabora Office 5.3 -61 ii collaboraofficebasis5.3-ooolinguistic 5.3.10.61-61 amd64 Linguistic module for Collabora Office 5.3 -61 ii collaboraofficebasis5.3-ru 5.3.10.61-61 amd64 Language module for Collabora Office 5.3, language ru -61 ii collaboraofficebasis5.3-ru-res 5.3.10.61-61 amd64 Language resource module for Collabora Office 5.3, language ru -61 ii collaboraofficebasis5.3-writer 5.3.10.61-61 amd64 Writer module for Collabora Office 5.3 -61 nextcloud 15

kit-30603-30634 2018-12-15 07:59:58.870659 [ lokit_001 ] ERR Failed to load: file:///user/docs/vUTo5YFHFK8hLgq2/%D0%9F%D1%80%D0%BE%D0%B1%D0%BB%D0%B5%D0%BC%D0%BD%D1%8B%D0%B5%20%D0%B4%D0%BE%D0%BC%D0%B0.xlsx, error: Unsupported URL <file:///user/docs/vUTo5YFHFK8hLgq2/%D0%9F%D1%80%D0%BE%D0%B1%D0%BB%D0%B5%D0%BC%D0%BD%D1%8B%D0%B5%20%D0%B4%D0%BE%D0%BC%D0%B0.xlsx>: "type detection failed"| kit/Kit.cpp:1554 kit-30603-30634 2018-12-15 07:59:58.871407 [ lokit_001 ] ERR Failed to get LoKitDocument instance for [file:///user/docs/vUTo5YFHFK8hLgq2/%D0%9F%D1%80%D0%BE%D0%B1%D0%BB%D0%B5%D0%BC%D0%BD%D1%8B%D0%B5%20%D0%B4%D0%BE%D0%BC%D0%B0.xlsx].| kit/ChildSession.cpp:370 kit-30603-30634 2018-12-15 07:59:58.871764 [ lokit_001 ] WRN Document::ViewCallback. Session [-1] is no longer active to process [ERROR] [{ "classification": "error", "cmd": "load", "kind": "io", "code": "770", "message": "" } ] message to Master Session.| kit/Kit.cpp:1868 kit-30603-30634 2018-12-15 07:59:59.016644 [ lokit_001 ] WRN Skipping unload on incomplete view.| kit/ChildSession.cpp:72 kit-30603-30634 2018-12-15 07:59:59.016869 [ lokit_001 ] ERR No socket associated with WebSocketHandler 0x0x55fbbf7a18c0| ./net/WebSocketHandler.hpp:107 kit-30603-30599 2018-12-15 08:00:00.017809 [ loolkit ] FTL Document [/apps/richdocuments/wopi/files/895_ocdl5gkb92i9] has no more views, exiting bluntly.| kit/Kit.cpp:834

But i found reason: if you are trying to open files names with cyrillic symbols you are get this error, but when i copy this file with numeric name (without cyrillic symbols) works without errors, please fix this issue

UPD Found fix: check your supported system locales: en_US ru_RU by locale -a, change something in /etc/locale.gen then locale-gen -a, and for me im not using docker, so just add Environment="LANG=en_US.UTF-8" in systemctl loolwsd service, then restart and you could be happy :)

[faust64]

the type detection error with special characters is one thing, while previous posts were mentioning opening some About.odt file. having set LANG, LANGUAGE, LC_CTYPE, locale-gen, dpkg-reconfigure locales, setting some value in /etc/default/locale, .. Trying with EN_US.UTF-8, C.UTF-8, ... I'm still hitting with that "type detection failed" error.

wsd-00008-00057 2019-12-12 11:59:59.589612 [ docbroker_001 ] INF  WOPI::GetFile downloaded 77422 bytes from [https://<nextcloud-fqdn>/index.php/apps/richdocuments/wopi/files/28_oc3xnhn67wcq/contents?access_token=Hihot4xoFinarkt5u9w3WufMarIs4UWP&access_token_ttl=0] -> /opt/lool/child-roots/ru8DIe1C7zFSTTjw/user/docs/ru8DIe1C7zFSTTjw/About.odt in 0.321827s| wsd/Storage.cpp:854
wsd-00008-00057 2019-12-12 11:59:59.590039 [ docbroker_001 ] INF  SHA1 for DocKey [/index.php/apps/richdocuments/wopi/files/28_oc3xnhn67wcq] of [/user/docs/ru8DIe1C7zFSTTjw/About.odt]: da39a3ee5e6b4b0d3255bfef95601890afd80709| wsd/DocumentBroker.cpp:813
wsd-00008-00057 2019-12-12 11:59:59.590111 [ docbroker_001 ] INF  TileCache ctor for uri [https://<nextcloud-fqdn>/index.php/apps/richdocuments/wopi/files/28_oc3xnhn67wcq?access_token=Hihot4xoFinarkt5u9w3WufMarIs4UWP&access_token_ttl=0], modifiedTime=1576151999], dontCache=false| wsd/TileCache.cpp:45
wsd-00008-00057 2019-12-12 11:59:59.590206 [ docbroker_001 ] INF  Filesystem [/opt/lool/child-roots/.] has 52666 MB free (51.9576%).| common/FileUtil.cpp:324
wsd-00008-00057 2019-12-12 11:59:59.590290 [ docbroker_001 ] DBG  #23 Thread affinity set to 0x7fa19affd700 (was 0).| ./net/Socket.hpp:282
wsd-00008-00031 2019-12-12 11:59:59.590353 [ admin ] DBG  Added admin document [/index.php/apps/richdocuments/wopi/files/28_oc3xnhn67wcq].| wsd/AdminModel.cpp:483
wsd-00008-00057 2019-12-12 11:59:59.590549 [ docbroker_001 ] INF  Requesting document load from child.| wsd/ClientSession.cpp:759
kit-00028-00026 2019-12-12 11:59:59.590563 [ kit_spare_001 ] INF  New session [05d] request on url [/index.php/apps/richdocuments/wopi/files/28_oc3xnhn67wcq].| kit/Kit.cpp:2128
kit-00028-00026 2019-12-12 11:59:59.590593 [ kitbroker_001 ] INF  Thread 26 (7f6faecf1000) of process 28 formerly known as [kit_spare_001] is now called [kitbroker_001].| common/Util.cpp:566
kit-00028-00026 2019-12-12 11:59:59.591683 [ kitbroker_001 ] INF  Document ctor for [/index.php/apps/richdocuments/wopi/files/28_oc3xnhn67wcq] url [/index.php/apps/richdocuments/wopi/files/28_oc3xnhn67wcq] on child [ru8DIe1C7zFSTTjw] and id [001].| kit/Kit.cpp:724
kit-00028-00026 2019-12-12 11:59:59.591748 [ kitbroker_001 ] INF  Creating first session for url: /index.php/apps/richdocuments/wopi/files/28_oc3xnhn67wcq for sessionId: 05d on jailId: ru8DIe1C7zFSTTjw| kit/Kit.cpp:781
kit-00028-00026 2019-12-12 11:59:59.591779 [ kitbroker_001 ] INF  ChildSession ctor [ToMaster-05d].| kit/ChildSession.cpp:76
kit-00028-00026 2019-12-12 11:59:59.591798 [ kitbroker_001 ] DBG  Sessions: 1| kit/Kit.cpp:790
kit-00028-00026 2019-12-12 11:59:59.592067 [ kitbroker_001 ] INF  Loading url [file:///user/docs/ru8DIe1C7zFSTTjw/About.odt] for session [05d] which has 0 sessions. Another load in progress: 0| kit/Kit.cpp:1316
kit-00028-00026 2019-12-12 11:59:59.592097 [ kitbroker_001 ] INF  Loading new document from URI: [file:///user/docs/ru8DIe1C7zFSTTjw/About.odt] for session [05d].| kit/Kit.cpp:1603
kit-00028-00026 2019-12-12 11:59:59.592152 [ kitbroker_001 ] DBG  Calling lokit::documentLoad(file:///user/docs/ru8DIe1C7zFSTTjw/About.odt, "Language=en-en").| kit/Kit.cpp:1621
kit-00028-00026 2019-12-12 11:59:59.755049 [ kitbroker_001 ] DBG  Returned lokit::documentLoad(file:///user/docs/ru8DIe1C7zFSTTjw/About.odt) in 162.874ms.| kit/Kit.cpp:1627
kit-00028-00026 2019-12-12 11:59:59.755109 [ kitbroker_001 ] ERR  Failed to load: file:///user/docs/ru8DIe1C7zFSTTjw/About.odt, error: Unsupported URL <file:///user/docs/ru8DIe1C7zFSTTjw/About.odt>: "type detection failed"| kit/Kit.cpp:1635
kit-00028-00026 2019-12-12 11:59:59.755137 [ kitbroker_001 ] ERR  Failed to get LoKitDocument instance for [file:///user/docs/ru8DIe1C7zFSTTjw/About.odt].| kit/ChildSession.cpp:612
kit-00028-00026 2019-12-12 11:59:59.755192 [ kitbroker_001 ] WRN  Document::ViewCallback. Session [-1] is no longer active to process [LOK_CALLBACK_ERROR] [{
    "classification": "error",
    "cmd": "load",
    "kind": "io",
    "code": "0x302(Error Area:Io Class:NotExists Code:2)",
    "message": ""
}
] message to Master Session.| kit/Kit.cpp:1944
wsd-00008-00057 2019-12-12 11:59:59.755345 [ docbroker_001 ] WRN  Document load failed: faileddocloading| wsd/ClientSession.cpp:1112

AFAIU, that About.odt gets properly downloaded from NextCloud, I would eventually a new sub-folder in /opt/lool/child-roots, with what I assume to be a copy of my file (it gets created then dropped almost instantly).

$ find /opt/lool/child-roots
...
/opt/lool/child-roots/IMektHGge9idCRq6/user/docs/IMektHGge9idCRq6/About.odt

I am now suspecting some missing library or dependency, though could not figure it out. Couldn't find missing libraries with ldd, the few binaries I checked seem to work properly. Pretty weird. Is there any chance that "Unsupported URL" error could be somewhat generic? Couldn'f figure it out from sources, it seems to be legit, ... but file://<path> being unsupported makes no sense at all.

[Scriptkiddi]

@faust64 did you find a solution, I'm running unto the same problem

[faust64]

No, I did not. I've also been trying with libreoffice/online:master, as well as building it myself on some ubuntu:18:04, I've got the exact same problem either way. I'm sure I'm doing something wrong, though I couldn't figure out what yet...

[Scriptkiddi]

sort question are you running this on a nfs root system? because i get to this point when i turn of the capabilities since they are not supported for nfs

[faust64]

I'm using an emptyDir. I could be wrong, though I'am not sure persisting data on that container is required, as I expect NextCloud to do this.

Then again, you're right. For that error to show up, I did remove caps from the loolforkit binary.

When keeping them, I would see the following:

/usr/bin/loolforkit: Operation not permitted

Running OpenShift, we have SecurityContextConstraints that would limit what most containers can do (kinda like PodSecurityPolicy with Kubernetes, though comes with a restrictive configuration by default, which I try to stick with).

I've been trying to:

• remove caps on loolforkit
• change config.security.seccomp to false
• change config.security.capabilities to false
• revert my previous changes, and create a custom SCC for this container, granting it with FOWNER, MKNOD and SYS_CHROOT capabilities
• re-add the config.security.seccomp to false

None of it worked. As long as loolforkit has caps, I'ld be hitting with permissions denied, regardless of my config.xml settings. Container would just restart in a loop. Without caps, container does start, I can get to the management interface, the health check URL works, all seems fine, ... and yet, document fails to load with the previously mentioned invalid URL errors.

Either way, I can't see anything wrong in my nodes audit logs nor Kubernetes logs.

For the record, that SCC I've been testing, which is a duplicate from OpenShift default, adding what I thought to be necessary:

allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- FOWNER
- MKNOD
- SYS_CHROOT
apiVersion: security.openshift.io/v1
defaultAddCapabilities:
- FOWNER
- MKNOD
- SYS_CHROOT
fsGroup:
  type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
...
  name: restricted-lool
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- SETUID
- SETGID
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:<my-test-project>:<serviceaccount-running-lool-container>
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

[faust64]

erratum: checking again, the above SCC seems to work as expected. I probably fucked up something in between.

So, for the record, here's how to deploy Lool on OpenShift:

apiVersion: v1
kind: List
items:
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: lool-demo
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: lool-demo
  rules:
  - apiGroups:
    - security.openshift.io
    resourceNames:
    - restricted-lool
    resources:
    - securitycontextconstraints
    verbs:
    - use
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: lool-demo
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: lool-demo
  subjects:
  - kind: ServiceAccount
    name: lool-demo
    namespace: lool-demo
- allowHostDirVolumePlugin: false
  allowHostIPC: false
  allowHostNetwork: false
  allowHostPID: false
  allowHostPorts: false
  allowPrivilegeEscalation: true
  allowPrivilegedContainer: false
  allowedCapabilities:
  - FOWNER
  - MKNOD
  - SYS_CHROOT
  apiVersion: security.openshift.io/v1
  defaultAddCapabilities:
  - FOWNER
  - MKNOD
  - SYS_CHROOT
  fsGroup:
    type: MustRunAs
  groups: []
  kind: SecurityContextConstraints
  metadata:
    annotations:
      kubernetes.io/description: restricted-lool denies access to all host features and requires
        pods to be run with a UID, and SELinux context that are allocated to the namespace. It
        pretty much matches the default restricted SecurityContextConstraint, with the
        exception of granting FOWNER, MKNOD and SYS_CHROOT capabilities, required by
        LibreOfficeOnline.
    name: restricted-lool
  priority: null
  readOnlyRootFilesystem: false
  requiredDropCapabilities:
  - KILL
  - SETUID
  - SETGID
  runAsUser:
    type: MustRunAsRange
  seLinuxContext:
    type: MustRunAs
  supplementalGroups:
    type: RunAsAny
  users:
  - system:serviceaccount:lool-demo:lool-demo
  volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
- apiVersion: v1
  kind: Service
  metadata:
    annotations:
      service.alpha.openshift.io/serving-cert-secret-name: lool-demo-cert
    name: lool-demo
  spec:
    ports:
    - name: tcp-9980
      port: 9980
      protocol: TCP
      targetPort: 9980
    selector:
      name: lool-demo
- apiVersion: v1
  kind: Secret
  metadata:
    name: lool-demo
  stringData:
    admin-password: demo-pw
    admin-username: demo-admin
- apiVersion: apps.openshift.io/v1
  kind: DeploymentConfig
  metadata:
    labels:
      name: lool-demo
    name: lool-demo
  spec:
    replicas: 1
    selector:
      name: lool-demo
    strategy:
      type: Rolling
    template:
      metadata:
        labels:
          name: lool-demo
      spec:
        containers:
        - env:
          - name: password
            valueFrom:
              secretKeyRef:
                key: admin-password
                name: lool-demo
          - name: username
            valueFrom:
              secretKeyRef:
                key: admin-username
                name: lool-demo
          - name: DONT_GEN_SSL_CERT
            value: dont
          image: <not-exactly-using-official-images>
          livenessProbe:
            failureThreshold: 15
            httpGet:
              path: /
              port: 9980
              scheme: HTTPS
            initialDelaySeconds: 30
            periodSeconds: 20
            successThreshold: 1
            timeoutSeconds: 1
          name: lool
          ports:
          - containerPort: 9980
            protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /
              port: 9980
              scheme: HTTPS
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            limits:
              cpu: 500m
              memory: 1Gi
            requests:
              cpu: 300m
              memory: 768Mi
          securityContext:
            capabilities:
              add:
              - FOWNER
              - MKNOD
              - SYS_CHROOT
              drop:
              - KILL
              - SETGID
              - SETUID
            procMount: Default
          volumeMounts:
          - mountPath: /etc/loolwsd/server.crt
            name: certs
            subPath: tls.crt
          - mountPath: /etc/loolwsd/server.key
            name: certs
            subPath: tls.key
          - mountPath: /opt/lool/child-roots
            name: data
        dnsPolicy: ClusterFirst
        restartPolicy: Always
        schedulerName: default-scheduler
        serviceAccount: lool-demo
        serviceAccountName: lool-demo
        terminationGracePeriodSeconds: 30
        volumes:
        - name: certs
          secret:
            secretName: lool-demo-cert
        - emptyDir: {}
          name: data
- apiVersion: route.openshift.io/v1
  kind: Route
  metadata:
    name: lool-demo
  spec:
    tls:
      insecureEdgeTerminationPolicy: Redirect
      termination: reencrypt
    to:
      kind: Service
      name: lool-demo
      weight: 100

Though I'm not using the official image. One of my customization involves some XML config changes pointing the CA path to OpenShift service CA. I'm still disabling seccomp. Would eventually publish to github, once I'ld have figured out the last details, ...

Sorry for the noise.