I’m attempting to setup a collabora server in a docker. What I see are the following log entries upon start:
> collabora | wsd-00001-00001 2025-07-05 08:15:47.876071 +0000 [ coolwsd ] ERR enterMountingNS, unshare failed: Operation not permitted| common/JailUtil.cpp:70
> collabora | wsd-00001-00001 2025-07-05 08:15:47.876114 +0000 [ coolwsd ] ERR creating usernamespace for mount user failed.| wsd/COOLWSD.cpp:1272
and
> collabora | wsd-00001-00001 2025-07-05 08:15:47.884376 +0000 [ coolwsd ] ERR Failed to bind-mount [/opt/cool/systemplate] -> [/opt/cool/child-roots/1-a677f26f/cool_test_mount]| common/JailUtil.cpp:157
> collabora | wsd-00001-00001 2025-07-05 08:15:47.884403 +0000 [ coolwsd ] ERR Bind-Mounting fails and will be disabled for this run. To disable permanently set mount_jail_tree config entry in coolwsd.xml to false.| common/JailUtil.cpp:454
Hii @Theking2 welcome to the community 
The error you’re encountering is related to user namespaces and mount namespace isolation not being supported or permitted in your Docker setup. These are needed by default in Collabora Online for process isolation and security (mount_jail_tree
).
Option 1
Disable mount_jail_tree
in coolwsd.xml
If you’re in a Docker environment and you trust the workload (e.g. not multi-tenant or untrusted docs), the simplest solution is to disable the jail system:
- Locate your
coolwsd.xml
(mounted or copied into the container, typically in /etc/coolwsd/coolwsd.xml
)
- Set:
<mount_jail_tree>false</mount_jail_tree>
- Restart the container.
Security Note: This disables mount namespace isolation, which reduces sandboxing protections. Only do this in trusted, internal setups.
Option 2: Use Docker with Required Capabilities
If you want to keep the jail feature, run your container with extra privileges:
docker run --cap-add=SYS_ADMIN --security-opt seccomp=unconfined ...
Or if you’re using docker-compose
:
services:
collabora:
image: collabora/code
cap_add:
- SYS_ADMIN
security_opt:
- seccomp=unconfined
...
This will allow unshare()
to succeed and let Collabora isolate the environment properly.
3: Use Podman (Rootless Compatible)
If you prefer to keep your deployment fully rootless and secure, Podman supports user namespaces better than Docker by default.
Thanks
Darshan