Problems with capabilities in Docker container

[christianlupus]

Hello,

I have the problem, that my docker container is no longer running smoothly. In fact I see a fatal error message in the logs as following:

collabora_1  | frk-00031-00031 2019-05-04 10:33:28.225360 [ forkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.| kit/ForKit.cpp:170
collabora_1  | frk-00031-00031 2019-05-04 10:33:28.225396 [ forkit ] FTL  Capability cap_mknod is not set for the loolforkit program.| kit/ForKit.cpp:170
collabora_1  | frk-00031-00031 2019-05-04 10:33:28.225459 [ forkit ] FTL  Capability cap_fowner is not set for the loolforkit program.| kit/ForKit.cpp:170
collabora_1  | FATAL: Capabilities are not set for the loolforkit program.
collabora_1  | Please make sure that the current partition was *not* mounted with the 'nosuid' option.
collabora_1  | If you are on SLES11, please set 'file_caps=1' as kernel boot option.

The complete logs can be found in logs.log.

I tried googling around but did not find much useful information. One problem was according to the resuls of the research the AUFS storage driver and one should switch to devicemapper. For me this seems unrelated as I am running overlay2.

Here is the docker info output.

Containers: 13
 Running: 10
 Paused: 0
 Stopped: 3
Images: 72
Server Version: 18.09.5-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb.m
runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 5.0.9-arch1-1-ARCH
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 31.3GiB
Name: server-hh
ID: Z2RX:E5ED:CDYD:BWAA:VPF6:3L4M:7SBX:RCJO:NFMQ:EXSI:A6EN:NNHO
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

I found that backporting to 4.0.2.1 tag on dockerhub or earlier fixed the problem, while 4.0.3.1 or latest fails with the message above. Using capsh --print inside the container (docker exec [...] bash) shows the three named capabilities to be present. Also, I do not see that the loolforkit program lies on a nosuid mounted partition.

Can you tell me, what else information you need in order to get the problem tracked down?

[Jab2870]

i don't know if it is related but I am getting this when trying to use the office suite from nextcloud:

collabora_1    | frk-00036-00036 2020-04-13 19:00:51.813020 [ forkit ] ERR  Failed to create a kit process.| kit/ForKit.cpp:351
collabora_1    | frk-00036-00036 2020-04-13 19:00:51.814389 [ forkit ] ERR  Fork failed. (ENOMEM: Cannot allocate memory)| kit/ForKit.cpp:309
collabora_1    | frk-00036-00036 2020-04-13 19:00:51.815333 [ forkit ] ERR  Failed to create a kit process.| kit/ForKit.cpp:351
collabora_1    | frk-00036-00036 2020-04-13 19:00:52.817581 [ forkit ] ERR  Fork failed. (ENOMEM: Cannot allocate memory)| kit/ForKit.cpp:309
collabora_1    | frk-00036-00036 2020-04-13 19:00:52.819388 [ forkit ] ERR  Failed to create a kit process.| kit/ForKit.cpp:351
collabora_1    | frk-00036-00036 2020-04-13 19:00:52.821093 [ forkit ] ERR  Fork failed. (ENOMEM: Cannot allocate memory)| kit/ForKit.cpp:309
collabora_1    | frk-00036-00036 2020-04-13 19:00:52.822341 [ forkit ] ERR  Failed to create a kit process.| kit/ForKit.cpp:351

[christianlupus]

I found it is some sort of dance between the Collabora version and the current NC installation. I got it running now but in a brittle way. Also, I do not know exactly what I had to do to get things running, unfortunately.