Unable to start Collabora-key container

J_Roeleveld 2020-03-18 07:55:07 UTC #1

Hi All,

I have finally got some time to continue with the migration/upgrade to 19.1.
I got Egroupware and Rocket.Chat working together, the next part is Collabora.

I am using the following as my docker-compose file:

github.com

EGroupware/egroupware/blob/master/doc/docker/docker-compose.yml

version: '3'
volumes:
  sources:
  db:
  data:
    driver_opts:
      type: none
      o: bind
      # to upgrade an existing non-docker installation most easy is to use the existing
      # data directory /var/lib/egroupware AND the host database see below
      #device: /var/lib/egroupware
      # otherwise data is stored in data subdirectory of the current directory
      device: $PWD/data
  # extra sources with apps not part of egroupware container
  #extra:
  #  driver_opts:
  #    type: none
  #    o: bind
  #    # location of deprecated EGroupware packages like Wiki, SiteMgr, KnowledgeBase
  #    device: /usr/share/egroupware

This file has been truncated. show original

When starting using “docker-compose up”, I notice collabora failing to start because it can’t find any certificate files.
Is it possible to run Collabora without HTTPS?
I am asking as I am, succesfully, running Egroupware and Rocket-chat behind a 2nd NGINX server which does all the SSL parts and egroupware and rocket-chat don’t need to be updated with my certificates.

Many thanks,

Joost

RalfBecker 2020-03-18 08:21:28 UTC #2

Hi Joost,

one important part of the documentation is missing here:

a) you first need to comment out the collabora-config volume in the service:

github.com

EGroupware/egroupware/blob/master/doc/docker/docker-compose.yml#L155


  #- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD="secret"
  command: --schedule "0 0 4 * * *"
  container_name: egroupware-watchtower
  restart: always


# Collabora Online Office
collabora-key:
  image: "quay.io/egroupware/collabora-key:stable"
  #image: collabora/code:latest
  # needs to be initialised via: docker run --rm -v dev_collabora-config:/mnt --entrypoint '/bin/cp -r /etc/loolwsd /mnt' quay.io/egroupware/collabora-key:stable
  volumes:
    - collabora-config:/etc/loolwsd
  # dont try to regenerate the (not used certificate) as volumn is readonly
  environment:
    - DONT_GEN_SSL_CERT=1
  restart: always
  container_name: collabora-key
  # set the ip-address of your docker host AND your official DNS name so Collabora
  # can access EGroupware without the need to go over your firewall
  #extra_hosts:
  #- "my.host.name:ip-address"

As it is empty and eg. not containing a certificate.

b) when the container starts successful, you can copy the config out of the container:

docker cp collabora-key:/etc/loolwsd /var/lib/egroupware/default/
chown -R 33:33 /var/lib/egroupware/default/loolwsd
chmod -R o+rX /var/lib/egroupware/default/loolwsd

That creates the configuration, which can from now on be managed by EGroupware.

c) uncomment what you commented in a) and docker-compose up -d the container. Then you can save the Collabora config in EGroupware to fix the configuration (Collabora container should restart automatically).

All the above is done automatic for DEB/RPM package installation, I should create an init-container for it, when I find time.

Ralf

Status of docker-compose version with rocketchat and collabora

J_Roeleveld 2020-03-18 08:53:39 UTC #3

Ralf,

Thank you for your quick reply.
But, after commenting out the 2 lines for the volume, it still goes into an endless cycle of restart, complaining about:

collabora-key | File not found: /etc/loolwsd/ca-chain.cert.pem
collabora-key exited with code 70

I can copy the files out using the cp-command and only get 2 files:
loolkitconfig.xcu loolwsd.xml

I found out I can disable SSL in “loolwsd.xml” (in <ssl … , set <enable… to false )

When restarting with " docker-compose up ", it still goes in an endless restart, complaining about being unable to connect to ports. I also see references to IPv6 addresses.

Is IPv6 support required on the host?
To check this, I am currently rebuilding the kernel with IPv6 support. Will update here later.
I disabled IPv6 globally as my ISP is incapable of providing IPv6 along with IPv4.

–
Joost

J_Roeleveld 2020-03-18 09:19:41 UTC #4

Collabora requires IPv6 on the host.
It doesn’t go into an endless reboot-cycle now because of this.

I still need to force-disable SSL as the keys can not be found. (which is to be expected as I don’t want them on this host)

Next step: See if I can get it configured to work happily together.

RalfBecker 2020-03-18 09:23:21 UTC #5

That’s because we tell it not to generate the certs, as we use a readonly volume and no SSL:

github.com

EGroupware/egroupware/blob/master/doc/docker/docker-compose.yml#L159




# Collabora Online Office
collabora-key:
  image: "quay.io/egroupware/collabora-key:stable"
  #image: collabora/code:latest
  # needs to be initialised via: docker run --rm -v dev_collabora-config:/mnt --entrypoint '/bin/cp -r /etc/loolwsd /mnt' quay.io/egroupware/collabora-key:stable
  volumes:
    - collabora-config:/etc/loolwsd
  # dont try to regenerate the (not used certificate) as volumn is readonly
  environment:
    - DONT_GEN_SSL_CERT=1
  restart: always
  container_name: collabora-key
  # set the ip-address of your docker host AND your official DNS name so Collabora
  # can access EGroupware without the need to go over your firewall
  #extra_hosts:
  #- "my.host.name:ip-address"


# Rocket.Chat server
rocketchat:
  image: rocketchat/rocket.chat:latest

That should work.

No ipv6 is definitly not required, we have not a single installation with ipv6!

Must be something different, thought it’s hard to tell what from here

Ralf

J_Roeleveld 2020-03-18 12:10:24 UTC #6

As I have it running, how do I configure eGroupware (Community Edition) to use the local version?

RalfBecker 2020-03-18 12:29:58 UTC #7

I believe we check if there is a Collabora installation on the host / same domain as EGroupware and set it automatic, if you open and store the Collabora config in EGroupware Admin.

That requires the proxy via the web server is working and https://example.org/hosting/discovery returns the expected result.

If that is not working, let me know.

Ralf

J_Roeleveld 2020-03-18 12:43:29 UTC #8

That was the hint I needed.
I disabled all the collabora entries in the nginx.conf file while trying to get the container working.

It now sees it, but when opening a *.doc of *.odt file from the filemanager, it wants to download it. Instead of (trying to) opening it in Collabora.

Do I need to change anything else?

J_Roeleveld 2020-03-18 12:52:41 UTC #9

Ok, figured part of it out:
Need to click “save” in the collabora settings page (inside egroupware) and then restart.

Now it does try to open the document in collabora, but it doesn’t actually open the file. (Initializing is spinning for a while and then I see just an empty screen and the menu at the top doesn’t respond to clicks)

In the log, I see the following when I click on a file in filemanager:
collabora-key | wsd-00006-00021 2020-03-18 12:49:21.133079 [ websrv_poll ] ERR Basic key structure is invalid.| common/Crypto.cpp:82

J_Roeleveld 2020-03-18 13:16:22 UTC #10

Update, when switching to the CODE version, that message disappears, but still seeing the same in the browser

J_Roeleveld 2020-04-23 19:50:29 UTC #11

All,

I have been trying to get collabora to work again, but not gotten much further.
With [ image: “quay.io/egroupware/collabora-key:stable” ]
I get the message " collabora-key | wsd-00006-00021 2020-03-18 12:49:21.133079 [ websrv_poll ] ERR Basic key structure is invalid.| common/Crypto.cpp:82 ’ in " docker logs collabora-key "

When I use [ image: collabora/code:latest ] I do not get the Key invalid message.

Using either, however, I get the following screen when opening any document/file from the filemanager:

I tried using PDF, ODT, DOCX and TXT.

In the admin part under application->collabora, I see the following:

Checking for user ‘anonymous’: Active user ‘anonymous’ found.
An user ‘anonymous’ is required for Collabora to access files and also for sharing files.

I do not have a user called “anonymous” in my installation. Is this really required? And if yes, how does this user need to be configured?

I would appreciate any help with this.

RalfBecker 2020-04-23 20:14:58 UTC #12

Never seen that error, and we use our Collabora images a lot. You’re saying just replacing our “quay.io/egroupware/collabora-key” with “collabora/code” fixes this crypto error?

The “anonymous” user is required, as it is the EGroupware way to have an anonymous session. Just delete the Collabora app in setup and re-install it. That should create a correctly configured “anonymous” user.

Ralf

J_Roeleveld 2020-04-23 20:52:11 UTC #13

I am assuming the “key” error is related to not actually having a “key”.
In the Application->Collabora->Site config, the field for “Support-Key” is empty.

I already tried uninstalling and reinstalling the Collabora application (in …/egroupware/setup -> config ) a few times.
The “anonymous” user still does not show under user accounts.
I am using LDAP authentication.

Both the authentication type and user storage is set to LDAP.

This, however, can be the problem. When I try to create a new user, eGroupware does add it to the LDAP server, but eGroupware shows an error:
" Error saving the contact! Insufficient access: Egroupware\Api\Ldap: 649 " (Only in the webinterface, I don’t see an error when using " docker logs -f egroupware ".

In order to limit the amount of users eGroupware shows and reports, I modified the filter to only select users with " objectClass: sambaSamAccount ", this is not added to the test-user.

For testing purposes, I changed this filter to see if this solves the issue.
I now do see the " anonymous " user. But when trying to open a file, I still get the same result.

I also still get the same problem when trying to create a new user. So I am guessing something is still not set up correctly.

J_Roeleveld 2020-04-23 22:29:04 UTC #14

Additional info:

I managed to figure out how to improve the logging from Collabora and found the following message:
INF #20 Exception while processing incoming request: [GET /lool/https%3A%2F%2F<WEB_URL_HOSTNAME>%2Fegroupware%2Fcollabora%2Findex.php%2Fwopi%2Ffiles%2F96284%3Faccess_token%3DrF1WFpUi6rCleVouDlbrdVmiLxUjsgAX%26access_token_ttl%3D0/ws?WOPISrc=https%3A%2F%2F<WEB_URL_HOSTNAME>%2Fegroupware%2Fcollabora%2Finde…]: DocKey [/egroupware/collabora/index.php/wopi/files/96284] is invalid.| wsd/LOOLWSD.cpp:2363

(I replaced the hostname of the actual webserver, reverse proxy, in the above line with “<WEB_URL_HOSTNAME>”

When I try to access the link referenced in the “DocKey” on the webserver, eg:
<WEB_URL_HOSTNAME>/egroupware/collabora/index.php/wopl/files/96284
I get a login screen, but don’t know which account and password to use.

Assuming this is the anonymous user account, where is the password configured that Collabora is trying?

RalfBecker 2020-04-23 22:55:07 UTC #15

Without a proper anonymous user, Collabora and also sharing will not work!

Ralf

J_Roeleveld 2020-04-24 05:19:01 UTC #16

Ralf,

How can I increase the loglevel to be able to see the full error trace when trying to add a user.
This will allow me to find out how to get this working before I rebuild my LDAP tree (was already planned for later this year, but might need to be moved forward.

RalfBecker 2020-04-24 15:59:03 UTC #17

We had to suppress some of the error output from LDAP calls as it either contains sensible information or also generated output in regular situations.

So you either have to find and change the places we did that in the code, or install PHP xdebug extension and it’s scream parameter to enable that output anyway:

docker exec -it egroupware bash -c 'apt update && apt install -y php-xdebug'
docker exec -it egroupware bash -c 'echo "xdebug.scream=1" > /etc/php/7.3/fpm/conf.d/20-xdebug.ini'
docker exec -it egroupware kill -s USR2 1
docker logs -f --tail=1 egroupware-nginx 2>&1 | sed "s/PHP message/\\$(echo -e '\n\r')PHP message/g"

Then reproduce your problem and watch the full log.

Eg. stop, delete and restart the container to get ride of your changes:

cd /etc/egroupware-docker
docker-compose stop egroupware
docker-compose rm -f egroupware
docker-compose up -d

Ralf

J_Roeleveld 2020-04-25 12:12:09 UTC #18

Thank you for this. I will apply this later to see what I can find.

As for “sharing” not working either. Is this the part where I can send a document from the FileManager as a download-link?
These do work on my system.

RalfBecker 2020-04-26 07:11:40 UTC #19

Then you must have a working “anonymous” user.

Sharing and Collabora use the same base functionality. Our collabora-key container and the code one, use exactly the same functionality on the EGroupware side.

I don’t think your problem is with the anonymous user, as you stated before:

The first is the diagnostics displayed in Admin > Collabora and it states the user is there.

Not sure why you say you don’t have one, when EGroupware can detected it and you wrote CODE was working.

Please delete our collabora-key image and pull it again, maybe something went wrong with the download:

docker images|grep collabora-key
docker image rm <hash-of-image-to-delete>
cd /etc/egroupware-collabora
docker-compose pull
docker-compose up -d

Ralf

J_Roeleveld 2020-04-26 13:09:37 UTC #20

Ralf,
I agree, I think the “anonymous” user is fine and not the issue.
I think the issue is in my webserver configuration, to explain where I think the issue is, I need to explain my environment.
I only have 1 public IP, which means I can only have 1 'webserver". This server runs NGINX with PHP.
When eGroupware was installed with downloaded tar-files and later with git, this worked fine on my webserver.

Now that eGroupware comes in a docker-container, I ended up creating a 2nd server running docker and adding eGroupware as the first docker-application. I have to keep the existing webserver as-is to support various PHP websites.
I configured access to the docker-eGroupware using reverse-proxy settings and also run the egroupware-nginx container on the docker-host. But I also set the hosts-part in the docker-compose file to point to the IP-address of the main webserver. Setting this to the docker-host-IP causes failures as that one does not listen on HTTP or HTTPS ports.

The config I have on the main webserver is:

server {
server_name egw.example.org;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/egw.example.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/egw.example.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

 #Redirect non-https traffic to https
 if ($scheme != "https") {
     return 301 https://$host$request_uri;
 } # managed by Certbot

access_log            /var/log/nginx/egw.example.org.access_log;
error_log           /var/log/nginx/egw.example.org.error_log;

client_max_body_size 65M;

location / {
  proxy_set_header        Host $host;
  proxy_set_header        X-Real-IP $remote_addr;
  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header        X-Forwarded-Proto $scheme;

  proxy_pass          http://docker.example.org:8080;
  proxy_read_timeout  90;

}

}

server {
if ($host = egw.example.org) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;
server_name egw.example.org;
return 404; # managed by Certbot

}

(actual domain name changed to “example.org”)

All this works for eGroupware and Rocketchat as they simple provide the client with the HTTPS URL and expect unencrypted data from the webserver.

The problem that, I think, Collabora is having is that it needs to contact eGroupware over HTTPS, but gets the information via HTTP.

In simple terms, I think the best solution is to configure HTTPS (along with the letsencrypt SSL-keys) and reconfigure the main webserver to blindly pass on the HTTPS requests directly to the docker host.
I know this is not the NGINX support group, but if you have any ideas on how to configure NGINX to blindly proxy HTTPS without needing the certificate files and get the egroupware-nginx container to handle the letsencrypt certificates, including renewal, than I think it should work correctly.

–
Joost