kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-10-24 15:05:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(web-svc-collabora): add required Docker capabilities and resource limits for Collabora Jails

Browse Source 
- Added security_opt (seccomp=unconfined, apparmor=unconfined) and cap_add (MKNOD, SYS_CHROOT, SETUID, SETGID, FOWNER)
  to allow Collabora's sandbox (coolmount/systemplate) to mount and chroot properly
- Increased resource limits (2 CPUs, 2 GB RAM, 2048 PIDs) to prevent document timeout and OOM issues
- Resolves 'coolmount: Operation not permitted' and systemplate performance warnings

Refs: https://chatgpt.com/share/68ed03cd-1afc-800f-904e-d1c1cb133914
This commit is contained in:
Kevin Veen-Birkenbach
2025-10-13 15:52:50 +02:00
parent ae618cbf19
commit 6a8e0f38d8
2 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
roles/web-svc-collabora/config/main.yml
View File

@@ -17,9 +17,13 @@ docker:
database:
enabled: false
collabora:
image: collabora/code
version: latest
name: collabora
image: collabora/code
version: latest
name: collabora
cpus: 2
mem_reservation: 1g
mem_limit: 2g
pids_limit: 2048
features:
logout: false
desktop: true # Just set to allow the iframe to load it

9
roles/web-svc-collabora/templates/docker-compose.yml.j2
View File

@@ -4,6 +4,15 @@
{% include 'roles/docker-container/templates/base.yml.j2' %}
image: "{{ COLLABORA_IMAGE }}:{{ COLLABORA_VERSION }}"
container_name: {{ COLLABORA_CONTAINER }}
security_opt:
- seccomp=unconfined
- apparmor=unconfined
cap_add:
- MKNOD
- SYS_CHROOT
- SETUID
- SETGID
- FOWNER
ports:
- "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}