* [PVE-User] loolwsd and unprivileged LXC Containers...
@ 2020-09-28 21:00 Marco Gaiarin
2020-10-16 16:03 ` Marco Gaiarin
0 siblings, 1 reply; 2+ messages in thread
From: Marco Gaiarin @ 2020-09-28 21:00 UTC (permalink / raw)
To: pve-user
[ Also here:
https://github.com/CollaboraOnline/richdocumentscode/issues/72
]
I've installed Collabora Online on a debian buster LXC unprivilegend container mostly following NextCloud info in https://nextcloud.com/collaboraonline/; loolwsd start as expected, Nextclud connect to the instance but when i try to open a document i got:
Sep 25 15:27:42 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: mount failed remount [/opt/lool/child-roots/ridzJ5vsTwBcah6P] readonly: Permission denied.
Sep 25 15:27:42 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:42.797451 [ kit_spare_002 ] ERR Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/ridzJ5vsTwBcah6P/] readonly.| common/JailUtil.cpp:59
Sep 25 15:27:42 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:42.797520 [ kit_spare_002 ] WRN Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/ridzJ5vsTwBcah6P/], will link/copy contents.| kit/Kit.cpp:2149
Sep 25 15:27:42 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/ridzJ5vsTwBcah6P/tmp] failed: Permission denied.
Sep 25 15:27:42 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:42.827965 [ kit_spare_002 ] ERR Failed to unmount [/opt/lool/child-roots/ridzJ5vsTwBcah6P/tmp].| common/JailUtil.cpp:70
Sep 25 15:27:42 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/ridzJ5vsTwBcah6P/lo] failed: Permission denied.
Sep 25 15:27:42 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:42.847363 [ kit_spare_002 ] ERR Failed to unmount [/opt/lool/child-roots/ridzJ5vsTwBcah6P/lo].| common/JailUtil.cpp:70
Sep 25 15:27:42 vnclpb1 systemd[15367]: opt-lool-child\x2droots-ridzJ5vsTwBcah6P.mount: Succeeded.
Sep 25 15:27:42 vnclpb1 systemd[1]: opt-lool-child\x2droots-ridzJ5vsTwBcah6P.mount: Succeeded.
Sep 25 15:27:42 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/ridzJ5vsTwBcah6P] failed: Permission denied.
Sep 25 15:27:42 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:42.880200 [ kit_spare_002 ] ERR Failed to unmount [/opt/lool/child-roots/ridzJ5vsTwBcah6P/].| common/JailUtil.cpp:70
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:43.283542 [ kit_spare_002 ] ERR mknod(/opt/lool/child-roots/ridzJ5vsTwBcah6P//tmp/dev/random) failed. Mount must not use nodev flag. (EPERM: Operation not permitted)| common/JailUtil.cpp:228
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:43.283625 [ kit_spare_002 ] ERR mknod(/opt/lool/child-roots/ridzJ5vsTwBcah6P//tmp/dev/urandom) failed. Mount must not use nodev flag. (EPERM: Operation not permitted)| common/JailUtil.cpp:240
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: mount failed remount [/opt/lool/child-roots/Il1oS2dgPsdODGa9] readonly: Permission denied.
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15573-14256 2020-09-25 13:27:43.557557 [ kit_spare_003 ] ERR Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/Il1oS2dgPsdODGa9/] readonly.| common/JailUtil.cpp:59
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15573-14256 2020-09-25 13:27:43.557623 [ kit_spare_003 ] WRN Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/Il1oS2dgPsdODGa9/], will link/copy contents.| kit/Kit.cpp:2149
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: mount failed remount [/opt/lool/child-roots/XuuVkTQOzdi6lfl4] readonly: Permission denied.
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15574-14256 2020-09-25 13:27:43.564909 [ kit_spare_004 ] ERR Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/] readonly.| common/JailUtil.cpp:59
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15574-14256 2020-09-25 13:27:43.564977 [ kit_spare_004 ] WRN Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/], will link/copy contents.| kit/Kit.cpp:2149
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/Il1oS2dgPsdODGa9/tmp] failed: Permission denied.
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15573-14256 2020-09-25 13:27:43.600571 [ kit_spare_003 ] ERR Failed to unmount [/opt/lool/child-roots/Il1oS2dgPsdODGa9/tmp].| common/JailUtil.cpp:70
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/tmp] failed: Permission denied.
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15574-14256 2020-09-25 13:27:43.603914 [ kit_spare_004 ] ERR Failed to unmount [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/tmp].| common/JailUtil.cpp:70
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/Il1oS2dgPsdODGa9/lo] failed: Permission denied.
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15573-14256 2020-09-25 13:27:43.627610 [ kit_spare_003 ] ERR Failed to unmount [/opt/lool/child-roots/Il1oS2dgPsdODGa9/lo].| common/JailUtil.cpp:70
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/lo] failed: Permission denied.
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15574-14256 2020-09-25 13:27:43.642396 [ kit_spare_004 ] ERR Failed to unmount [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/lo].| common/JailUtil.cpp:70
Sep 25 15:27:43 vnclpb1 systemd[15367]: opt-lool-child\x2droots-Il1oS2dgPsdODGa9.mount: Succeeded.
Sep 25 15:27:43 vnclpb1 systemd[1]: opt-lool-child\x2droots-Il1oS2dgPsdODGa9.mount: Succeeded.
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/Il1oS2dgPsdODGa9] failed: Permission denied.
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15573-14256 2020-09-25 13:27:43.661583 [ kit_spare_003 ] ERR Failed to unmount [/opt/lool/child-roots/Il1oS2dgPsdODGa9/].| common/JailUtil.cpp:70
Sep 25 15:27:43 vnclpb1 systemd[15367]: opt-lool-child\x2droots-XuuVkTQOzdi6lfl4.mount: Succeeded.
Sep 25 15:27:43 vnclpb1 systemd[1]: opt-lool-child\x2droots-XuuVkTQOzdi6lfl4.mount: Succeeded.
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/XuuVkTQOzdi6lfl4] failed: Permission denied.
Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15574-14256 2020-09-25 13:27:43.697419 [ kit_spare_004 ] ERR Failed to unmount [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/].| common/JailUtil.cpp:70
and in the host system (Proxmox VE 6):
Sep 25 15:27:42 ino kernel: [433028.908691] audit: type=1400 audit(1601040462.792:24): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/opt/lool/child-roots/ridzJ5vsTwBcah6P/" pid=3673 comm="loolmount" flags="ro, nosuid, nodev, remount, noatime, rbind, silent"
Sep 25 15:27:43 ino kernel: [433029.669132] audit: type=1400 audit(1601040463.552:25): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/opt/lool/child-roots/Il1oS2dgPsdODGa9/" pid=3813 comm="loolmount" flags="ro, nosuid, nodev, remount, noatime, rbind, silent"
Sep 25 15:27:43 ino kernel: [433029.676506] audit: type=1400 audit(1601040463.560:26): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/opt/lool/child-roots/XuuVkTQOzdi6lfl4/" pid=3814 comm="loolmount" flags="ro, nosuid, nodev, remount, noatime, rbind, silent"
I've tried to disable options like 'mount_jail_tree' and 'capabilities'
in loolwsd configuration with no luck.
Collabora Online is incompatible with unprivileged containers?! Or
there are some specific capability in the container that i can relax to
make it work?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PVE-User] loolwsd and unprivileged LXC Containers...
2020-09-28 21:00 [PVE-User] loolwsd and unprivileged LXC Containers Marco Gaiarin
@ 2020-10-16 16:03 ` Marco Gaiarin
0 siblings, 0 replies; 2+ messages in thread
From: Marco Gaiarin @ 2020-10-16 16:03 UTC (permalink / raw)
To: pve-user
I come back on this.
> Collabora Online is incompatible with unprivileged containers?! Or
> there are some specific capability in the container that i can relax to
> make it work?
Following some hint, i've tried to enable 'nesting' in container. And
strange things happens.
On PVE5 (buster container), it work.
On PVE6 (again, buster container), no.
Mah...
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-10-16 16:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-28 21:00 [PVE-User] loolwsd and unprivileged LXC Containers Marco Gaiarin
2020-10-16 16:03 ` Marco Gaiarin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal