When starting Collabora Online from within a container build from packages, no validation key generated and issues with default jail directory

[julienfastre]

Describe the Bug

I compiled an image for Collabora Online 24.04, using my customer secret key. I started the container with the same configuration as for Collabora Online 22.05.

Using the Wopi protocol, my wopi host refused to serve documents to Collabora, due to missing X-Wopi header and proof key in the hosting/discovery xml file. I received also warning in the container logs:

WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:432

Running those commands as root within the container, the problem was fixed:

docker compose exec --user root app coolconfig generate-proof-key
docker compose exec --user root app coolconfig update-system-template
# those lines are printed:
Running the following command:
coolwsd-systemplate-setup /opt/cool/systemplate /opt/collaboraoffice >/dev/null 2>&1

Steps to Reproduce

1. Compile your own image of collabora code using a secret key, as described here (Example 3.)
2. Run the image, using docker compose. I use a nginx reverse proxy in front of collabora, but I don't think that does have any impact;

Expected Behavior

• There are some proof keys in the hosting/discovery xml files;
• Collabora add headers related to validation proof to wopi host;
• No warning in the logs
• No need to run manually some commands to finish the configuration.

Actual Behavior

No proof key generated

• Open the hosting/discovery file: there aren't any proof key. Opening a document from a wopi host which check for proof key: the wopi host refuse to serve it (tips: nextcloud is not sensitive to wopi proof key)
• There aren't any header related to proof key in the request headers made by Collabora Online to the Wopi host;

This fixed by running manually this command:

docker compose exec --user root app coolconfig generate-proof-key

Issues with systemplate, out of date

• When opening a document, I see in the logs:

  [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:432
  

  But the document does open.

This is fixed by running manually this command:

docker compose exec --user root app coolconfig update-system-template
# those lines are printed:
Running the following command:
coolwsd-systemplate-setup /opt/cool/systemplate /opt/collaboraoffice >/dev/null 2>&1

Screenshots

Server

(Please complete the following information)

• Collabora version: Collabora Online 24.04.4.3 8628721
• OS and version: Debian GNU/Linux 11 (bullseye)
• Browser and version: not relevant