Is security.capabilities option going away?

(This is a follow-up from Code as an Incus App container , because that one was closed)

I was finally able to run Collabora Code in an Incus App container, with something like this:

incus launch docker:collabora/code:latest collabora-code-container 
-c environment.extra_params=‘--o:security.capabilities=false --o:mount_jail_tree=false’

But then, I see messages like these on the logs:

[ kit_spare_003 ] WRN  Security warning: running without chroot jails is insecure.| kit/Kit.cpp:3686
[ coolforkit-ns ] ERR  Security: Running without the capability to enter a chroot jail is ill advised.| kit/ForKit.cpp:950

And also this deprecation comment for the capabilities option in the config file:

...
  <!-- deprecated: If capabilities is 'false', coolwsd will assume mount_namespaces of 'true' to achieve
         this goal, only avoiding chroot for process isolation if linux namespaces are unavailable -->
    <capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">true</capabilities>
...

I would say that for my use-case this is an OK security-usability tradeoff, because we are only 2 trusted people using the nextcloud instance and the collabora code instance is running in a different server (without VM support), but I guess that for other use-cases it might be dangerous.

What concerns me is that deprecation notice: is this option really going away @darshan?

Thanks for all the help!

Hii @pachulo

You’re right — what you’re seeing is a limitation of running inside Incus App containers.

Collabora Online normally tries to create a safe execution environment by using chroot jails and Linux capabilities. Incus doesn’t allow all of these, so the only way to make it work there is by turning off capabilities, which triggers the warnings you saw. That’s why you need to run with --o:security.capabilities=false --o:mount_jail_tree=false.

As for the deprecation notice: it just means the option is being simplified, because the code now prefers using Linux namespaces by default when possible. If namespaces aren’t available (like in your Incus setup), disabling capabilities is still the only way to run.

For a deeper dive into why this exists and what the future looks like, I suggest reading Caolán’s write-up here:
https://caolanm.blogspot.com/2024/08/linux-namespaces-and-collabora-online.html

Thanks
Darshan