Error logged after first install

I’m attempting to setup a collabora server in a docker. What I see are the following log entries upon start:

> collabora  | wsd-00001-00001 2025-07-05 08:15:47.876071 +0000 [ coolwsd ] ERR  enterMountingNS, unshare failed: Operation not permitted| common/JailUtil.cpp:70
> collabora  | wsd-00001-00001 2025-07-05 08:15:47.876114 +0000 [ coolwsd ] ERR  creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272

and

> collabora  | wsd-00001-00001 2025-07-05 08:15:47.884376 +0000 [ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/1-a677f26f/cool_test_mount]| common/JailUtil.cpp:157
> collabora  | wsd-00001-00001 2025-07-05 08:15:47.884403 +0000 [ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454

Hii @Theking2 welcome to the community :slight_smile:

The error you’re encountering is related to user namespaces and mount namespace isolation not being supported or permitted in your Docker setup. These are needed by default in Collabora Online for process isolation and security (mount_jail_tree).

Option 1

Disable mount_jail_tree in coolwsd.xml

If you’re in a Docker environment and you trust the workload (e.g. not multi-tenant or untrusted docs), the simplest solution is to disable the jail system:

  1. Locate your coolwsd.xml (mounted or copied into the container, typically in /etc/coolwsd/coolwsd.xml)
  2. Set:
<mount_jail_tree>false</mount_jail_tree>
  1. Restart the container.

Security Note: This disables mount namespace isolation, which reduces sandboxing protections. Only do this in trusted, internal setups.

Option 2: Use Docker with Required Capabilities

If you want to keep the jail feature, run your container with extra privileges:

docker run --cap-add=SYS_ADMIN --security-opt seccomp=unconfined ...

Or if you’re using docker-compose:

services:
  collabora:
    image: collabora/code
    cap_add:
      - SYS_ADMIN
    security_opt:
      - seccomp=unconfined
    ...

This will allow unshare() to succeed and let Collabora isolate the environment properly.


3: Use Podman (Rootless Compatible)

If you prefer to keep your deployment fully rootless and secure, Podman supports user namespaces better than Docker by default.

Thanks
Darshan