Closed MariusQuabeck closed 1 year ago
Hm... can you follow https://github.com/nextcloud/all-in-one/discussions/1358
will do and report back
I did check the hosts file, it looks ok
# /etc/hosts
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
the allow list for WOPI requests input field does not show up on the page
output from curl -vvv https://$NC_DOMAIN:443/hosting/discovery
TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: CN=redactedURL
* start date: Apr 2 04:16:39 2023 GMT
* expire date: Jul 1 04:16:38 2023 GMT
* subjectAltName: host "redactedURL" matched cert's "redactedURL"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: GET]
* h2h3 [:path: /hosting/discovery]
* h2h3 [:scheme: https]
* h2h3 [:authority: redactedURL]
* h2h3 [user-agent: curl/7.83.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x7fd0dc7b71b0)
> GET /hosting/discovery HTTP/2
> Host: redactedURL
> user-agent: curl/7.83.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
Nothing further gets returned by the command above?
If no, can you please post the full collabora logs here?
that was all I could see from the linode console, there might be more but it won't let me scroll up nor does it correctly show anything if I pipe the output to a file, same via ssh
here is the full collabora log https://cloud.nerdzoom.media/s/7TRwcwxejn2H7ba
Found your problem:
frk-00031-00031 2023-04-27 17:58:20.263938 ERR Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:237
frk-00031-00031 2023-04-27 17:58:20.263938 +0000 [ coolforkit ] ERR Capability cap_mknod is not set for the coolforkit program.| kit/ForKit.cpp:237
frk-00031-00031 2023-04-27 17:58:20.263943 +0000 [ coolforkit ] ERR Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:237
frk-00031-00031 2023-04-27 17:58:20.263948 +0000 [ coolforkit ] ERR Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:237
Capabilities are not set for the coolforkit program.
The question is now why this is happening for you...
I found a really nice article which helps debugging this. https://earthly.dev/blog/intro-to-linux-capabilities/
Can you run sudo docker inspect nextcloud-aio-collabora | grep Pid
And use the Pid in the following command:
sudo getpcaps <container-pid>
I need the output of the second command.
Please additionally post the output of sudo capsh --print
root@cloud:~# sudo docker nextcloud-aio-collabora | grep Pid
docker: 'nextcloud-aio-collabora' is not a docker command.
See 'docker --help'
Sorry, I updated the instrucrions. Please try again
ah thank you, I was just trying to understand this blog post
output:
root@cloud:~# sudo docker inspect nextcloud-aio-collabora | grep Pid
"Pid": 24090,
"PidMode": "",
"PidsLimit": null,
root@cloud:~# sudo getpcaps 24090
24090: =
root@cloud:~# sudo capsh --print
Current: =ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB:
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)
I'm afraid this doesn't contain what you were hoping for :/
It shows that indeed no capabilities are granted to the container so it confirms my assumption. Still the questions is why.
I just upgraded docker on my test instance to 23.0.5 and collabora still works. So that also doesnt seem to be it...
Can you post the output of sudo docker info
?
And on which hoster are you currently?
For me docker info returns this:
Server:
Containers: 11
Running: 9
Paused: 0
Stopped: 2
Images: 13
Server Version: 23.0.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
runc version: v1.1.5-0-gf19387a
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 5.15.0-71-generic
Operating System: Ubuntu 22.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.738GiB
Name: aio-testing1
ID: 5T4Z:Y64Q:ET2R:72X2:25DQ:4BU4:6NZ3:WGHF:6WTS:ON3V:YQPS:3UJZ
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
sudo docker info
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.10.4
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.17.3
Path: /usr/libexec/docker/cli-plugins/docker-compose
scan: Docker Scan (Docker Inc.)
Version: v0.23.0
Path: /usr/libexec/docker/cli-plugins/docker-scan
Server:
Containers: 9
Running: 7
Paused: 0
Stopped: 2
Images: 10
Server Version: 23.0.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
yslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
runc version: v1.1.5-0-gf19387a
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 5.15.0-71-generic
Operating System: Ubuntu 22.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.832GiB
Name: cloud.nerdzoom.media
ID: WQZ5:U46M:FC5U:QGNY:5W3A:AES5:7DMR:QFHM:IIVT:ZZEC:LLYJ:GCN6
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
And it gets even more interesting: getpcaps also returns zero for the resulting collabora container on my end but the container still works on my end without throwing these errors...
Apparently one of the children processes has the caps applied:
Can you also try this? (get the children processes with pgrep -P
I've finally updated AIO to 4.9.0 and can now no longer access Nextcloud Office
the AIO page shows all containers running OK
but still...
nextcloud-aio-collabora log (this part keeps repeating itself):
nextcloud-aio-nextcloud log: