Error logged after first install

Theking2 · July 6, 2025, 4:45pm

I’m attempting to setup a collabora server in a docker. What I see are the following log entries upon start:

> collabora  | wsd-00001-00001 2025-07-05 08:15:47.876071 +0000 [ coolwsd ] ERR  enterMountingNS, unshare failed: Operation not permitted| common/JailUtil.cpp:70
> collabora  | wsd-00001-00001 2025-07-05 08:15:47.876114 +0000 [ coolwsd ] ERR  creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272

and

> collabora  | wsd-00001-00001 2025-07-05 08:15:47.884376 +0000 [ coolwsd ] ERR  Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/1-a677f26f/cool_test_mount]| common/JailUtil.cpp:157
> collabora  | wsd-00001-00001 2025-07-05 08:15:47.884403 +0000 [ coolwsd ] ERR  Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454

darshan · July 7, 2025, 4:15pm

Hii @Theking2 welcome to the community

The error you’re encountering is related to user namespaces and mount namespace isolation not being supported or permitted in your Docker setup. These are needed by default in Collabora Online for process isolation and security (mount_jail_tree).

Option 1

Disable mount_jail_tree in coolwsd.xml

If you’re in a Docker environment and you trust the workload (e.g. not multi-tenant or untrusted docs), the simplest solution is to disable the jail system:

Locate your coolwsd.xml (mounted or copied into the container, typically in /etc/coolwsd/coolwsd.xml)
Set:

<mount_jail_tree>false</mount_jail_tree>

Restart the container.

Security Note: This disables mount namespace isolation, which reduces sandboxing protections. Only do this in trusted, internal setups.

Option 2: Use Docker with Required Capabilities

If you want to keep the jail feature, run your container with extra privileges:

docker run --cap-add=SYS_ADMIN --security-opt seccomp=unconfined ...

Or if you’re using docker-compose:

services:
  collabora:
    image: collabora/code
    cap_add:
      - SYS_ADMIN
    security_opt:
      - seccomp=unconfined
    ...

This will allow unshare() to succeed and let Collabora isolate the environment properly.

3: Use Podman (Rootless Compatible)

If you prefer to keep your deployment fully rootless and secure, Podman supports user namespaces better than Docker by default.

Thanks
Darshan

Topic		Replies	Views
Problems getting collabora docker container working User Support	4	273	September 2, 2024
Quick Tryout Nextcloud Docker not working User Support	4	147	March 26, 2025
Getting error while starting collabora with docker Installation & Configuration	6	770	March 26, 2025
Coolmount fails to function Installation & Configuration	4	1015	May 8, 2024
Race Condition - Connection is terminated (Nextcloud) User Support english-en	6	138	October 17, 2024

Relive COOL Days 2025!

Error logged after first install

Option 1

Option 2: Use Docker with Required Capabilities

3: Use Podman (Rootless Compatible)

Related topics