online icon indicating copy to clipboard operation
online copied to clipboard
verified publisher icon CollaboraOnline

seccomp filter issue

Open Unfaehig opened this issue 3 years ago • 1 comments

Describe the bug I tried to install collabora docker container on a Synology via portainer.io. If the container boots it throws for me following error:

kit-00038-00036 2022-09-14 13:57:43.555304 +0000 [ kit_spare_001 ] ERR Failed to install seccomp syscall filter| common/Seccomp.cpp:239

Seems this is an known Libre Office Online bug see here

To Reproduce Steps to reproduce the behavior:

  1. Take a Synolgogy NAS or a Linux with not enable seccomp in Kernl
  2. create a container (i test it from 6.4.1.2+) but doesn't matter use latest
  3. start container

Expected behavior I would like to have a config like mentioned in the bug report above, that you are able to by pass seccomp filter via "--disable-seccomp" or even better that the Image is automatically do it if seccomp filter fails

Actual behavior The seccomp filter fails and it seems that crahses something in the Container. It will results in never established connection and the log never output "Ready to accept connections on port 9980."

Server (please complete the following information)

  • OS: [DSM 6.2.4]
  • Browser: [e.g. chrome, safari]
  • Version: [e.g. 22]

Additional context docker

Unfaehig avatar Sep 14 '22 14:09 Unfaehig

Ok after a week of endless tests i finally see it is possible to add --o:security.seccomp=false to extra_params to get around this issue!

Unfaehig avatar Sep 14 '22 15:09 Unfaehig

TDF#113078 was closed as WONTFIX. I think it's an acceptable resolution. If installation of seccomp syscall filter fails, and the program continues, the user will never know that it failed and may think that everything is in order. The feature can be disabled in config, but it is not the default, as it weakens security (in theory).

timar avatar Sep 23 '22 10:09 timar

That's ok, thought a warn log message after starting would be nice instead, like: "server started in insecure mode, due to missing seccomp" or something like that. However if it is WONTFIX. It should give a better documentation on this. As Docker user i had to copy the coolwsd out of the container, to see the entry at all. Would make more sense to have a sample file in the documentation, instead of just looking in coolwsd. It wasn't also not directly clear how the overall notation is. However thanks for respond and hope that issue helps at least other folks out there!

Unfaehig avatar Sep 24 '22 21:09 Unfaehig