OnlyOffice Document Server Failing to Start in systemd Container After Upgrade to 23.05

smarwei · June 25, 2023, 8:54am

Hello,

I’ve been running an OnlyOffice document server inside a systemd container without any issues until I recently upgraded to NixOS 23.05. After the upgrade, the OnlyOffice document server fails to start, with the error message: “bwrap: Can’t mount proc on /newroot/proc: Operation not permitted.”

Here’s the configuration for my container:

containers.onlyoffice = {
  autoStart = true;
  ephemeral = true;
  privateNetwork = true;
  hostAddress = "192.168.100.20";
  localAddress = "192.168.100.21";

  bindMounts = {
    "/home/arne" = {
      hostPath = "/home/arne";
      isReadOnly = true;
    };
  };

  config = { config, pkgs, ... }: {

    services.onlyoffice = {
      enable = true;
    };

    services.nginx = {
      enable = true;
      serverNamesHashBucketSize = 128;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      virtualHosts = {
        "ooffice.domain.de" = {
          default = false;
          forceSSL = true;
          sslCertificate = /home/arne/onlyoffice_localhost.crt;
          sslCertificateKey = /home/arne/onlyoffice_localhost.key;
          locations."/" = {
            proxyPass = "http://localhost:8000";
          };
        };
      };
    };

    system.stateVersion = "22.11";

    networking.firewall = {
      enable = false;
      allowedTCPPorts = [ 80 443 ];
    };

    environment.etc."resolv.conf".text = "nameserver 8.8.8.8";

    nixpkgs.config.allowUnfree = true;
  };
};

I have tried the following to resolve the issue:
- Tried to use a privileged container.
- Experimented with the security.unprivilegedUsernsClone option.

However, none of these attempts resolved the issue.

Downgrading NixOS back to the previous version resolves the issue, so it seems to be related to some changes in the new version. Any help or insight into this issue would be greatly appreciated.

Best Regards,
Arne

Sandro · June 25, 2023, 3:07pm

buildFHSEnv switched to the bwrap implementation in 23.05. I am not sure how to get bwrap to work in a nspawn container.

smarwei · June 26, 2023, 5:52pm

Thank you Sandro.

The switch to the Bubblewrap implementation seems to be the root of the issue, indeed. Would you or anyone else have any suggestions on potential workarounds, or should I consider alternative solutions? Also, is it likely that this issue will be addressed in future NixOS updates, or is this a more permanent change?

Any guidance would be greatly appreciated.

Best Regards,
Arne

Sandro · June 26, 2023, 6:09pm

I don’t really have an idea other to Google nested containers or so and I didn’t see something yet to fix this but k might as well have missed it.