Collabora Does Not Start in AIO Helm Chart

[denppa]

Steps to reproduce

1. Download values.yml
2. helm -n nextcloud upgrade nextcloud nextcloud-aio/nextcloud-aio-helm-chart --values values.yml --install
3. kubectl -n nextcloud logs pods/nextcloud-aio-collabora-7d8dfd5f7f-ltv9d
4. Go to administration settings in web GUI -> Nextcloud Office -> Cannot connect to Collabora.

Expected behavior

Colabora should fork a server process and return an XML at https://mydomain.com/hosting/discovery

Actual behavior

curl https://mydomain.com/hosting/discovery hangs as there is no Collabora server process., Nextcloud cannot connect to Collabora.

Other information

• OS: Debian Bookworm
• Installed in Kubernetes v1.31
• Using containerd backend with runc

This is also mentioned in a PR, but was rejected as it should not run in priviliged mode, which I can understand. But installing this in a docker environment on the same host, using the same containerd runtime works, perhaps Kubernetes needs extra permissions?

values.yml:

[values.yml](https://github.com/user-attachments/files/17851545/values.yml.txt

Other valuable info

Collabora logs:

wsd-00001-00011 2024-11-21 16:02:12.733014 -0500 [ prisoner_poll ] INF  Creating new forkit process.| wsd/COOLWSD.cpp:3511
wsd-00001-00011 2024-11-21 16:02:12.733099 -0500 [ prisoner_poll ] INF  Launching forkit process: /usr/bin/coolforkit-caps --systemplate=/opt/cool/systemplate --lotemplate=/opt/collaboraoffice --childroot=/opt/cool/child-roots/1-b2ff1fef/ --clientport=9980 --masterport=coolwsd-i7YqrOhq --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version --noseccomp --ui=default| wsd/COOLWSD.cpp:3628
wsd-00001-00011 2024-11-21 16:02:12.733853 -0500 [ prisoner_poll ] INF  Forkit process launched: 12| wsd/COOLWSD.cpp:3634
wsd-00001-00011 2024-11-21 16:02:12.733867 -0500 [ prisoner_poll ] TRC  Rebalance children to 3, have 0 and 1 outstanding requests| wsd/COOLWSD.cpp:515
wsd-00001-00011 2024-11-21 16:02:12.733885 -0500 [ prisoner_poll ] TRC  Rebalance children to 4, have 0 and 1 outstanding requests| wsd/COOLWSD.cpp:515
wsd-00001-00011 2024-11-21 16:02:12.733895 -0500 [ prisoner_poll ] TRC  PollSocket container size increased from 0 + 1 to 1| net/Socket.cpp:650
frk-00012-00012 2024-11-21 16:02:12.741278 -0500 [ coolforkit-caps ] INF  Initializing frk. Local time: Thu 2024-11-21 16:02:12 -0500. Log level is [8]| common/Log.cpp:654
frk-00012-00012 2024-11-21 16:02:12.741312 -0500 [ coolforkit-caps ] INF  Setting log-level to [trace and delaying setting to configured [warning] until after Forkit initialization.| kit/ForKit.cpp:654
frk-00012-00012 2024-11-21 16:02:12.741353 -0500 [ coolforkit-caps ] INF  RLIMIT_AS is unlimited after setting it to unlimited.| common/Seccomp.cpp:287
frk-00012-00012 2024-11-21 16:02:12.741385 -0500 [ coolforkit-caps ] INF  RLIMIT_STACK is 8192000 bytes after setting it to 8192000 bytes.| common/Seccomp.cpp:287
frk-00012-00012 2024-11-21 16:02:12.741395 -0500 [ coolforkit-caps ] INF  Ignored setting RLIMIT_FSIZE to unlimited.| common/Seccomp.cpp:293
frk-00012-00012 2024-11-21 16:02:12.741406 -0500 [ coolforkit-caps ] INF  Ignored setting RLIMIT_NOFILE to unlimited.| common/Seccomp.cpp:293
frk-00012-00012 2024-11-21 16:02:12.741437 -0500 [ coolforkit-caps ] ERR  Security: Running without the ability to filter system calls is ill advised.| kit/ForKit.cpp:744
coolforkit version details: 24.04.9.1 - 55317ef
frk-00012-00012 2024-11-21 16:02:12.741452 -0500 [ coolforkit-caps ] DBG  About to init Kit UnitBase with test []| kit/ForKit.cpp:766
frk-00012-00012 2024-11-21 16:02:12.741516 -0500 [ coolforkit-caps ] ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:230
frk-00012-00012 2024-11-21 16:02:12.741536 -0500 [ coolforkit-caps ] ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:230
frk-00012-00012 2024-11-21 16:02:12.741553 -0500 [ coolforkit-caps ] ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:230
Capabilities are not set for the coolforkit program.
frk-00012-00012 2024-11-21 16:02:12.741573 -0500 [ coolforkit-caps ] FTL  Capabilities are not set for the coolforkit program.| kit/ForKit.cpp:780
Please make sure that the current partition was *not* mounted with the 'nosuid' option.
frk-00012-00012 2024-11-21 16:02:12.741592 -0500 [ coolforkit-caps ] FTL  Please make sure that the current partition was *not* mounted with the 'nosuid' option.| kit/ForKit.cpp:781
If you are on SLES11, please set 'file_caps=1' as kernel boot option.
frk-00012-00012 2024-11-21 16:02:12.741611 -0500 [ coolforkit-caps ] FTL  If you are on SLES11, please set 'file_caps=1' as kernel boot option.| kit/ForKit.cpp:782
wsd-00001-00001 2024-11-21 16:02:12.732703 -0500 [ coolwsd ] INF  Waiting for a new child for a max of 20000ms| wsd/COOLWSD.cpp:4433

cool@nextcloud-aio-collabora-7d77cb8fd8-b9lr4:/$ getcap /usr/bin/coolforkit-caps
/usr/bin/coolforkit-caps cap_chown,cap_fowner,cap_sys_chroot=ep

And then it loops forever.

[szaimen]

Hi, this gets refactored with #5601 soon.

[denppa]

Thanks, I will close this, as the true solution should be adding CAP_SYS_ADMIN for those who come across this.