search

CollaboraOnline / online

Collabora Online is a collaborative online office suite based on LibreOffice technology. This is also the source for the Collabora Office apps for iOS and Android.
https://collaboraonline.com
Other
1.88k stars 710 forks source link

Docker: Failed to install seccomp syscall filter #1712

Closed mietzen closed 3 years ago

mietzen commented 3 years ago

Describe the bug I'm trying to run Collabora on my NAS. I followed: https://www.collaboraoffice.com/code/quick-tryout-nextcloud-docker/ But the container hangs up on startup:

kit-00042-00040 2021-03-13 07:08:27.872827 [ kit_spare_001 ] DBG  Initialized jail nodes, dropped caps.| kit/Kit.cpp:2351
kit-00042-00040 2021-03-13 07:08:27.872837 [ kit_spare_001 ] DBG  Initializing LOK with instdir [/lo/program] and userdir [file:///tmp/user].| kit/Kit.cpp:2364
kit-00042-00040 2021-03-13 07:08:27.927824 [ kit_spare_001 ] ERR  Failed to install seccomp syscall filter| common/Seccomp.cpp:235
LibreOfficeKit seccomp security lockdown failed. Exiting.
kit-00042-00040 2021-03-13 07:08:27.927907 [ kit_spare_001 ] FTL  LibreOfficeKit seccomp security lockdown failed. Exiting.| kit/Kit.cpp:2399
frk-00040-00040 2021-03-13 07:08:28.338345 [ forkit ] WRN  No live Kits exist, and we are not terminating yet.| kit/ForKit.cpp:279
sh: 1: /usr/bin/loolmount: Operation not permitted
frk-00040-00040 2021-03-13 07:08:28.377463 [ forkit ] ERR  Failed to unmount [/opt/lool/child-roots/RMEM16pykOzrp1zV/tmp].| common/JailUtil.cpp:68
sh: 1: /usr/bin/loolmount: Operation not permitted
frk-00040-00040 2021-03-13 07:08:28.416101 [ forkit ] ERR  Failed to unmount [/opt/lool/child-roots/RMEM16pykOzrp1zV/lo].| common/JailUtil.cpp:68
sh: 1: /usr/bin/loolmount: Operation not permitted
frk-00040-00040 2021-03-13 07:08:28.444959 [ forkit ] ERR  Failed to unmount [/opt/lool/child-roots/RMEM16pykOzrp1zV].| common/JailUtil.cpp:68
wsd-00008-00039 2021-03-13 07:08:32.341092 [ prisoner_poll ] TRC  Poll completed with 0 live polls max (5000000us)(timedout)| net/Socket.cpp:236
wsd-00008-00039 2021-03-13 07:08:32.341162 [ prisoner_poll ] TRC  ppoll start, timeoutMicroS: 5000000 size 2| net/Socket.cpp:217

To Reproduce Steps to reproduce the behavior: Run docker run -t -d -p 9980:9980 -e "extra_params=--o:ssl.enable=false" collabora/code

$ docker --version
Docker version 18.09.8, build bfed4f5

$ docker-compose --version
docker-compose version 1.24.0, build 0aa59064

$ uname -r
4.4.59+

Full Log is attached: _nextcloud-collabora_logs.txt

thebearon commented 3 years ago

Probably your NAS doesn't support the feature, I'm not sure Collabora Online could realistically run on NASes, perhaps @mmeeks can comment on that.

mietzen commented 3 years ago

Probably your NAS doesn't support the feature, I'm not sure Collabora Online could realistically run on NASes, perhaps @mmeeks can comment on that.

What do you mean by "the feature". So my Kernel is probably missing seccomp?

Edit: Yes it's missing seccomp, too bad. I guess there is no way running it without seccomp?

mmeeks commented 3 years ago

Well - loolwsd.xml has a security setting:

<security desc="Altering these defaults potentially opens you to significant risk">
  <seccomp desc="Should we use the seccomp system call filtering." type="bool" default="true">true</seccomp>

You can unset that - and loose one of the (many) layers of our security onion. That's normal enough though for home use - particularly if you trust those who are using the server along with you =)

mmeeks commented 3 years ago

Oh - and of course, we can run on a NAS =)

mietzen commented 3 years ago

Well - loolwsd.xml has a security setting:

<security desc="Altering these defaults potentially opens you to significant risk">
  <seccomp desc="Should we use the seccomp system call filtering." type="bool" default="true">true</seccomp>

You can unset that - and loose one of the (many) layers of our security onion. That's normal enough though for home use - particularly if you trust those who are using the server along with you =)

I've create a collabora/CODE container with seccomp disabled: https://hub.docker.com/r/mietzen/synology-collabora (auto build on base image change is enabled)

If any body has the same problem feel free to use it / fork it.

mietzen commented 2 years ago

Well - loolwsd.xml has a security setting:

<security desc="Altering these defaults potentially opens you to significant risk">
  <seccomp desc="Should we use the seccomp system call filtering." type="bool" default="true">true</seccomp>

You can unset that - and loose one of the (many) layers of our security onion. That's normal enough though for home use - particularly if you trust those who are using the server along with you =)

If any one stumbles over this, the config is now called coolwsd.xml under /etc/coolwsd/coolwsd.xml