(This is a follow-up from Code as an Incus App container , because that one was closed)
I was finally able to run Collabora Code in an Incus App container, with something like this:
incus launch docker:collabora/code:latest collabora-code-container
-c environment.extra_params=‘--o:security.capabilities=false --o:mount_jail_tree=false’
But then, I see messages like these on the logs:
[ kit_spare_003 ] WRN Security warning: running without chroot jails is insecure.| kit/Kit.cpp:3686
[ coolforkit-ns ] ERR Security: Running without the capability to enter a chroot jail is ill advised.| kit/ForKit.cpp:950
And also this deprecation comment for the capabilities
option in the config file:
...
<!-- deprecated: If capabilities is 'false', coolwsd will assume mount_namespaces of 'true' to achieve
this goal, only avoiding chroot for process isolation if linux namespaces are unavailable -->
<capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">true</capabilities>
...
I would say that for my use-case this is an OK security-usability tradeoff, because we are only 2 trusted people using the nextcloud instance and the collabora code instance is running in a different server (without VM support), but I guess that for other use-cases it might be dangerous.
What concerns me is that deprecation notice: is this option really going away @darshan?
Thanks for all the help!