From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 5917661EEC for ; Mon, 28 Sep 2020 23:10:26 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 43B9E9AB7 for ; Mon, 28 Sep 2020 23:10:26 +0200 (CEST) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id ED3599AAB for ; Mon, 28 Sep 2020 23:10:22 +0200 (CEST) Received: by picard.linux.it (Postfix, from userid 10) id 9F4F23C2B56; Mon, 28 Sep 2020 23:10:16 +0200 (CEST) Received: from hermione.lilliput.linux.it ([192.168.1.24] helo=hermione.sv.lnf.it) by eraldo.lilliput.linux.it with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1kN0Fu-0006sD-FU for pve-user@lists.proxmox.com; Mon, 28 Sep 2020 23:00:18 +0200 Received: by hermione.sv.lnf.it (Postfix, from userid 1000) id 66E15A00428; Mon, 28 Sep 2020 23:00:18 +0200 (CEST) Date: Mon, 28 Sep 2020 23:00:18 +0200 From: Marco Gaiarin To: pve-user@lists.proxmox.com Message-ID: <20200928210018.GA11555@lilliput.linux.it> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit 'Organization: Associazione La Nostra Famiglia - Polo FVG' 'From: Marco Gaiarin ' User-Agent: Mutt/1.9.4 (2018-02-28) X-SPAM-LEVEL: Spam detection results: 0 JMQ_SPF_NEUTRAL 0.5 SPF set to ?all KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record T_SPF_PERMERROR 0.01 SPF: test of record failed (permerror) Subject: [PVE-User] loolwsd and unprivileged LXC Containers... X-BeenThere: pve-user@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE user list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2020 21:10:26 -0000 [ Also here: https://github.com/CollaboraOnline/richdocumentscode/issues/72 ] I've installed Collabora Online on a debian buster LXC unprivilegend container mostly following NextCloud info in https://nextcloud.com/collaboraonline/; loolwsd start as expected, Nextclud connect to the instance but when i try to open a document i got: Sep 25 15:27:42 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: mount failed remount [/opt/lool/child-roots/ridzJ5vsTwBcah6P] readonly: Permission denied. Sep 25 15:27:42 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:42.797451 [ kit_spare_002 ] ERR Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/ridzJ5vsTwBcah6P/] readonly.| common/JailUtil.cpp:59 Sep 25 15:27:42 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:42.797520 [ kit_spare_002 ] WRN Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/ridzJ5vsTwBcah6P/], will link/copy contents.| kit/Kit.cpp:2149 Sep 25 15:27:42 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/ridzJ5vsTwBcah6P/tmp] failed: Permission denied. Sep 25 15:27:42 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:42.827965 [ kit_spare_002 ] ERR Failed to unmount [/opt/lool/child-roots/ridzJ5vsTwBcah6P/tmp].| common/JailUtil.cpp:70 Sep 25 15:27:42 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/ridzJ5vsTwBcah6P/lo] failed: Permission denied. Sep 25 15:27:42 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:42.847363 [ kit_spare_002 ] ERR Failed to unmount [/opt/lool/child-roots/ridzJ5vsTwBcah6P/lo].| common/JailUtil.cpp:70 Sep 25 15:27:42 vnclpb1 systemd[15367]: opt-lool-child\x2droots-ridzJ5vsTwBcah6P.mount: Succeeded. Sep 25 15:27:42 vnclpb1 systemd[1]: opt-lool-child\x2droots-ridzJ5vsTwBcah6P.mount: Succeeded. Sep 25 15:27:42 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/ridzJ5vsTwBcah6P] failed: Permission denied. Sep 25 15:27:42 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:42.880200 [ kit_spare_002 ] ERR Failed to unmount [/opt/lool/child-roots/ridzJ5vsTwBcah6P/].| common/JailUtil.cpp:70 Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:43.283542 [ kit_spare_002 ] ERR mknod(/opt/lool/child-roots/ridzJ5vsTwBcah6P//tmp/dev/random) failed. Mount must not use nodev flag. (EPERM: Operation not permitted)| common/JailUtil.cpp:228 Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15540-14256 2020-09-25 13:27:43.283625 [ kit_spare_002 ] ERR mknod(/opt/lool/child-roots/ridzJ5vsTwBcah6P//tmp/dev/urandom) failed. Mount must not use nodev flag. (EPERM: Operation not permitted)| common/JailUtil.cpp:240 Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: mount failed remount [/opt/lool/child-roots/Il1oS2dgPsdODGa9] readonly: Permission denied. Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15573-14256 2020-09-25 13:27:43.557557 [ kit_spare_003 ] ERR Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/Il1oS2dgPsdODGa9/] readonly.| common/JailUtil.cpp:59 Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15573-14256 2020-09-25 13:27:43.557623 [ kit_spare_003 ] WRN Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/Il1oS2dgPsdODGa9/], will link/copy contents.| kit/Kit.cpp:2149 Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: mount failed remount [/opt/lool/child-roots/XuuVkTQOzdi6lfl4] readonly: Permission denied. Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15574-14256 2020-09-25 13:27:43.564909 [ kit_spare_004 ] ERR Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/] readonly.| common/JailUtil.cpp:59 Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15574-14256 2020-09-25 13:27:43.564977 [ kit_spare_004 ] WRN Failed to mount [/opt/lool/systemplate] -> [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/], will link/copy contents.| kit/Kit.cpp:2149 Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/Il1oS2dgPsdODGa9/tmp] failed: Permission denied. Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15573-14256 2020-09-25 13:27:43.600571 [ kit_spare_003 ] ERR Failed to unmount [/opt/lool/child-roots/Il1oS2dgPsdODGa9/tmp].| common/JailUtil.cpp:70 Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/tmp] failed: Permission denied. Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15574-14256 2020-09-25 13:27:43.603914 [ kit_spare_004 ] ERR Failed to unmount [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/tmp].| common/JailUtil.cpp:70 Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/Il1oS2dgPsdODGa9/lo] failed: Permission denied. Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15573-14256 2020-09-25 13:27:43.627610 [ kit_spare_003 ] ERR Failed to unmount [/opt/lool/child-roots/Il1oS2dgPsdODGa9/lo].| common/JailUtil.cpp:70 Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/lo] failed: Permission denied. Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15574-14256 2020-09-25 13:27:43.642396 [ kit_spare_004 ] ERR Failed to unmount [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/lo].| common/JailUtil.cpp:70 Sep 25 15:27:43 vnclpb1 systemd[15367]: opt-lool-child\x2droots-Il1oS2dgPsdODGa9.mount: Succeeded. Sep 25 15:27:43 vnclpb1 systemd[1]: opt-lool-child\x2droots-Il1oS2dgPsdODGa9.mount: Succeeded. Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/Il1oS2dgPsdODGa9] failed: Permission denied. Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15573-14256 2020-09-25 13:27:43.661583 [ kit_spare_003 ] ERR Failed to unmount [/opt/lool/child-roots/Il1oS2dgPsdODGa9/].| common/JailUtil.cpp:70 Sep 25 15:27:43 vnclpb1 systemd[15367]: opt-lool-child\x2droots-XuuVkTQOzdi6lfl4.mount: Succeeded. Sep 25 15:27:43 vnclpb1 systemd[1]: opt-lool-child\x2droots-XuuVkTQOzdi6lfl4.mount: Succeeded. Sep 25 15:27:43 vnclpb1 loolwsd[14250]: /usr/bin/loolmount: forced unmount of [/opt/lool/child-roots/XuuVkTQOzdi6lfl4] failed: Permission denied. Sep 25 15:27:43 vnclpb1 loolwsd[14250]: kit-15574-14256 2020-09-25 13:27:43.697419 [ kit_spare_004 ] ERR Failed to unmount [/opt/lool/child-roots/XuuVkTQOzdi6lfl4/].| common/JailUtil.cpp:70 and in the host system (Proxmox VE 6): Sep 25 15:27:42 ino kernel: [433028.908691] audit: type=1400 audit(1601040462.792:24): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_" name="/opt/lool/child-roots/ridzJ5vsTwBcah6P/" pid=3673 comm="loolmount" flags="ro, nosuid, nodev, remount, noatime, rbind, silent" Sep 25 15:27:43 ino kernel: [433029.669132] audit: type=1400 audit(1601040463.552:25): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_" name="/opt/lool/child-roots/Il1oS2dgPsdODGa9/" pid=3813 comm="loolmount" flags="ro, nosuid, nodev, remount, noatime, rbind, silent" Sep 25 15:27:43 ino kernel: [433029.676506] audit: type=1400 audit(1601040463.560:26): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_" name="/opt/lool/child-roots/XuuVkTQOzdi6lfl4/" pid=3814 comm="loolmount" flags="ro, nosuid, nodev, remount, noatime, rbind, silent" I've tried to disable options like 'mount_jail_tree' and 'capabilities' in loolwsd configuration with no luck. Collabora Online is incompatible with unprivileged containers?! Or there are some specific capability in the container that i can relax to make it work? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)