CODE: How do I run without privileged mode?

[austinvaness]

I have tried everything I can think of in my docker compose file but no matter what I do this appears in the log file:

 ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.

The only way I have been able to enable this feature is to set privileged mode to true.

[vmiklos]

Does

online/docker/README

Line 65 in f422b2f

docker run --security-opt cool-seccomp-profile.json

help?

[Macr0Nerd]

I am also curious about this. I currently am running Collabora in a Podman Pod with Nextcloud. This is configured using Podman Quadlets, and I have the rest of the containers in the pod running under a service user. This means the container is created by root but is run under an unprivileged user. I have applied the SECCOMP profile, but it appears that running rootless creates problems:

Failed to initialize COOLWSD: Access to file denied: /opt/cool/child-roots/1-970e1fa9                                                                                                                                           
wsd-00001-00001 2025-10-15 07:00:51.721381 +0000 [ coolwsd ] FTL  Failed to initialize COOLWSD: Access to file denied: /opt/cool/child-roots/1-970e1fa9| wsd/COOLWSD.hpp:263                        
Access to file denied: /opt/cool/child-roots/1-970e1fa9

[vmiklos]

Sounds like that should be an issue, then: reading https://caolanm.blogspot.com/2024/08/linux-namespaces-and-collabora-online.html, in general we should run COOL in rootless mode just fine, unless the environment is configured in some unhelpful way. It would be ideal to know more about that failing environment, so unless that file access failure is the root of the problem, we would give a more helpful error message. I assume you didn't configure /opt/cool in some separate container volume where the user would no permissions to read/write. :-)

[Macr0Nerd]

For Collabora I actually don't have any volumes set up. Here is the Podman Quadlet container file; it probably looks a lot different than you're used to with Docker tools but all of the settings should line to be easily reproducible. When the user option is enabled is when errors start popping up. I can make an issue if needed.

[Unit]
Description=Nextcloud Collabora container
After=network-online.target krb-renew-ncdata.timer
Wants=krb-renew-ncdata.timer

[Service]
Restart=always
#User=1238400022

[Container]
Image=docker.io/collabora/code:latest
EnvironmentFile=nextcloud-collabora.env
Pod=nextcloud.pod
StartWithPod=true
#User=1238400022
SeccompProfile=/usr/share/containers/systemd/nextcloud/cool-seccomp-profile.json
#Pull=newer
AutoUpdate=registry

[Install]
WantedBy=default.target

[meven]

The user id used in the Collabora container is 1001, you might want to specify it.
Otherwise the cool process will have filesystem access permission issues.
https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile#L145

[Macr0Nerd]

@meven the start script actually attempts to account for the uid not matching by changing the cool user's uid and gid to the container's, but it doesn't account for the filesystem referring to the old uid and gid.

online/docker/from-packages/scripts/start-collabora-online.sh

Line 31 in 1319364

# Build a tiny passwd file mapping this random assigned UID to "cool" if userId is not "1001"

[Macr0Nerd]

Additionally mapping the UID does not seem to work with quadlets. UID Maps aren't possible due to namespace restrictions, and in my current and previous testing User NS doesn't change much either.

[herrschmidt]

I'm experiencing the same issue with Ubuntu 24.04 LTS Server + Docker + Dokploy.

What I've tried:

• ❌ privileged: true → Same /tmp/user error
• ❌ cap_add: [MKNOD, SYS_ADMIN] → Same error
• ❌ security_opt: [apparmor=unconfined, seccomp=unconfined] → Same error
• ❌ Removed /tmp volume mount → Same error
• ❌ Added entrypoint with chmod 1777 /tmp → Same error

System info:

• Ubuntu 24.04 LTS Server
• Docker in Dokploy (Docker Compose orchestrator)
• User namespaces enabled: cat /proc/sys/user/max_user_namespaces = 62828
• Image: collabora/code:25.04.4.2.1

Setup:
Running Collabora with OpenCloud (ownCloud Infinite Scale fork) + WOPI server in Docker Compose. The OpenCloud examples show this should work.

Logs:

ERR Child X has exited, with status 77
Fatal Error: The application cannot be started.
Collabora Office user installation could not be processed due to missing access rights.
Please make sure that you have sufficient access rights for the following location:
/tmp/user

After reading the blog post about namespaces, I understand Ubuntu 24.04 has AppArmor restrictions, but even with apparmor=unconfined the issue persists.

Question: Is there additional configuration needed for Ubuntu 24.04 + Docker beyond what's documented? Or is this a known limitation with the Docker image on this platform?