Fragmented documentation for WOPI server and Collabora with OCIS 6.1.0

Infinite Scale
,
1

Hello,

I am trying to make OCIS work with Collabora, in my case I am trying on ubuntu 24.04 the standalone OCIS(using S3 as storage) + Nginx + Collabora in Docker + AWS ELB for SSL termination

I can make work OCIS + Nginx without any problem (both using docker-compose or standalone), just I am not able to find (or maybe I am blind :D) some proper documentation of how to make work WOPI + Collabora… I checked in documentation and sometimes there are missing links or some kind of contradictory information… (I cannot yet send links in this forum I guess, so it the forum does not allow me yet to post my configs and or the links to specific documentation)…

So if I understood well, for the WOPIServer to work I need to have configured the app-registry in OCIS, but I saw that in the docker version we need to start two OCIS instances, so the normal app server but also one for starting the app-registry ?? But in stand-alone OCIS version is not needed?

Also in some documentation, I saw that there is some kind of OCIS service called “Collaboration” which needs to be configured, and it will work once we have the Collabora running (didn’t work for me), but also not clear in that documentation if we need still the the wopiserver from cs3org …

It is quite confusing what I read in the documentation…

Basically what I wanted to ask??

  1. Can I make work OCIS stand alone + Collabora (for example in docker )? or do I need to do everything in docker…

  2. Also I saw that in all documentation it is normally used Traefik? but I feel much more comfortable with nginx… would it work using NGINX? (Again I cannot send config I have tried)

  3. It is there some kind of full tutorial with updated documentation, meaning for OCIS 6.1.0?? Can please somebody point me there ? :slight_smile:

Thanks very much in advance :slight_smile:

Edit1: Some clarification why I cannot post the configs.

2

Thanks for such an exclusive information about WOPI server. I am really impressed with your efforts.

3

There are 2 different implementations available for the WOPI server:

  • The cs3org one, which needs the app-registry and the cs3org WOPI server
  • The ocis one, which is the collaboration service.

You can think the collaboration service to be a cs3org WOPI server + app-registry.
The implementations are kind of incompatible between each other, so you should make sure there is only one of them running in your system.

As far as I know, the collaboration service isn’t started up by default when you run the ocis server command. Since you’ll need an external server (collabora in your case), it might be better to run the collaboration service in a different container.
At least in theory, this is a matter of preference.

Can I make work OCIS stand alone + Collabora (for example in docker )? or do I need to do everything in docker…

I’d recommend you to set up everything in docker. It should be easier to have all the setup in the same file, and it also provide some network isolation as well as easier tear down of resources. The network isolation might be important because all the services will be within the docker’s network and only the exposed port will be accessible from the outside.

Also I saw that in all documentation it is normally used Traefik? but I feel much more comfortable with nginx… would it work using NGINX? (Again I cannot send config I have tried)

I don’t think we have docs for NGINX so you’ll be on your own. As long as you can “translate” the Traefik configuration to NGINX, I think it should be fine.

It is there some kind of full tutorial with updated documentation, meaning for OCIS 6.1.0?? Can please somebody point me there ? :slight_smile:

There are some deployment examples with the collaboration service in ocis/deployments/examples/ocis_full at master · owncloud/ocis · GitHub although I don’t know how useful it will be for you.

4

Hi @carlinhos ,
any progress on this?
Trying the same like you, but on podman.
Took me some days with try-error to get ocis theming in container to work, now I try to get Collabora up in a secure environment…
Since I use haproxy as a L3 proxy, I dont need traefik or caddy or some other Proxy+ACME helper.
I can put nginx between, so our setups are equal.
Maybe some users should team up for some better documentation.
I think a helpful documentation would be an example with
ocis yaml
wopi yaml
collabora yaml

For sake of simplicity, certs should bei /somepath/ocis.cert wopi.cert collabora.cert
All 3 on same host, inter container communication over localhost and publish only ports needed for collabora over ocis and for ocis.

Cheers
Chris

5

Hi,

Thanks for all the info about this…

So when you wrote this:

IT means that I will need to use for example the Collaboration service running in a different instance (container) than the OCIS as application server? Like in total will be the following containers???

  • OCIS (as application server)
  • Collabora
  • OCIS (for the Collaboration application)
  • Nginx (in my case) some others I guess will be using Traefik

Yes then I will try also everything in Docker, as you said I think it will be more clear and secure to do.

Thanks again.

6

Hi @chrismaster

Still I did not have time to play with this I am also quite busy with normal work, I guess later during evening night I will try with the “Collaboration” service …

But yes, I agree with you 100%, maybe after we can put together some kind of manual for this so people don’t struggle as we are doing now :wink:

Also, I am doing SSL termination with the AWS ELB, so I Am not taking into consideration any of the steps related with the certificates

Edit1: Added information about SSL termination

7

Today I had a look again to the documentation, and from what I read in the Collaboration service manual it is not so clear once more if needed or not WOPI server … :thinking:

If I understood well, it says that it needs the APP PROVIDER service … So now I am not sure if one should also add another docker for the APP Provider, or how it would be?

Also I found a bit confusing when we start more than one OCIS instance, because unless I am not including the same ocis.yaml, the OCIS for APP Provider won’t start (since it would need to be reinitialized) … So I guess the ocis.yam should be common for all the other OCIS instances + the special service in the other OCIS instances to be started… IF I understood it properly…

8

You need

wopi …
Image=docker.io/owncloud/ocis-rolling:latest
Exec=collaboration server
when its running you can curl on port 9300

collabora …
Image=docker.io/collabora/code:24.04.5.1.1
// for me, 24.04.5.2.1 has a bug for non root podman @ fedora 40
when its running you can curl on port 9980

ocis …
Image=docker.io/owncloud/ocis-rolling:latest

@ Collaboration
go to Environment Variables, cause WOPI Configuration is outdated. …I think :slight_smile:

from the examples, ocis and wopi can share the config volume, but here I have a config volume for each.

I did everything with https with certs for each domain over environment variables…

atm I have published 9200 9980 and 9300, not sure if they are all needed. Some more try and error. Since it is all in a pod, they can communicate over localhost to each other.

9

Hi @chrismaster

Thanks for your help once more, so I have been trying it a bit, but still not able to make it work somehow… I have the following compose:

services:
  nginx:
    image: nginx:${NGINX_VERSION:-}
    container_name: nginx
    restart: always
    environment:
      TZ: Etc/UTC
    volumes:
      - /opt/docker/ocis/nginx:/etc/nginx/conf.d:ro
      - /var/log/nginx:/var/log/nginx
    ports:
      - 80:80
    networks:
      - ocis
  ocis:
    image:  owncloud/ocis-rolling:${RELEASE:-latest}
    restart: always
    entrypoint:
      - /bin/sh
    command: ["-c",  "ocis init || true; ocis server"]
    container_name: ocis
    volumes:
      - "/opt/docker/ocis/metadata:/var/lib/ocis/metadata"
      - "/opt/docker/ocis/data:/var/lib/ocis"
      - "/opt/docker/ocis/configs/ocis/app-registry-collabora.yaml:/etc/ocis/app-registry.yaml"
      - "/opt/docker/ocis/configs/ocis:/etc/ocis"
      - "/var/log/ocis:/logs"
    environment:
      OCIS_URL: "https://cloud.mydomain.com"
      OCIS_LOG_FILE: "/logs/output.log"
      PROXY_HTTP_ADDR: ${PROXY_HTTP_ADDR:-0.0.0.0:9200}
      STORAGE_USERS_DRIVER: ${STORAGE_USERS_DRIVER:-}
      STORAGE_USERS_S3NG_ROOT: ${STORAGE_USERS_S3NG_ROOT:-}
      STORAGE_SYSTEM_DRIVER: ${STORAGE_SYSTEM_DRIVER:-}
      STORAGE_USERS_S3NG_ENDPOINT: ${STORAGE_USERS_S3NG_ENDPOINT:-}
      STORAGE_USERS_S3NG_REGION: ${STORAGE_USERS_S3NG_REGION:-}
      STORAGE_USERS_S3NG_ACCESS_KEY: ${STORAGE_USERS_S3NG_ACCESS_KEY:-}
      STORAGE_USERS_S3NG_SECRET_KEY: ${STORAGE_USERS_S3NG_SECRET_KEY:-}
      STORAGE_USERS_S3NG_BUCKET: ${STORAGE_USERS_S3NG_BUCKET:-}
      DEMO_USERS: "false"
      PROXY_TLS: "false"
      OCIS_INSECURE: "true"
      OCIS_LOG_PRETTY: "true"
      OCIS_LOG_LEVEL: "info"
      # make the registry available to the app provider containers
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
      MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
      NATS_NATS_HOST: 0.0.0.0
      NATS_NATS_PORT: 9233
    networks:
      - ocis


  collabora:
    image: collabora/code:24.04.5.1.1
    container_name: collabora
    restart: always
    ports:
      - 9980:9980
    command: "/start-collabora-online.sh"
    environment:
      aliasgroup1: https://${WOPISERVER_DOMAIN:-wopi.cloud.mydomain.com}:443
      DONT_GEN_SSL_CERT: "YES"
      domain: "cloud.mydomain.com"
      admin: "admin"
      password: "admin"
      extra_params: "--o:security.seccomp=false --o:security.capabilities=false --o:ssl.enable=false --o:ssl.termination=true"
    networks:
      - ocis

  ocis-collaboration:
    image:  owncloud/ocis-rolling:${RELEASE:-latest}
    restart: always
    entrypoint:
      - /bin/sh
    command: ["-c", "/usr/bin/ocis collaboration server"]
    container_name: ocis-collaboration
    volumes:
      - "/opt/docker/ocis/configs/ocis:/etc/ocis"
    environment:
      COLLABORATION_WOPIAPP_ADDR: http://collabora:9980
      COLLABORATION_APP_NAME: Collabora
      COLLABORATION_APP_INSECURE: true
      COLLABORATION_LOG_LEVEL: debug
      COLLABORATION_WOPI_SECRET: "AbcD1234"
    ports:
      - 9300:9300
    networks:
      - ocis


networks:
  ocis:

And even if the service ocis, collabora and nginx are running properly and I can log into the web app, somehow the ocis-collaboration doesn’t want to start,… It 's complaining with the following:

{"level":"info","service":"collaboration","time":"2024-07-29T23:45:44Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/registry/register.go:17","message":"registering external service com.owncloud.api.collaboration.Collabora-42d1fbb2-93e6-44e2-a4cf-a0d05a8f6bf0@127.0.0.1:9301"}
{"level":"fatal","service":"collaboration","error":"Failed to connect to NATS Server: nats: no servers available for connection","time":"2024-07-29T23:45:44Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/registry/register.go:21","message":"Registration error for external service com.owncloud.api.collaboration.Collabora"}

maybe some missing variables to setup there… but not sure which…

10

podman version 5.1.2, rootless container, rootless & passwordless user with fedora 40
certs auto-created/renewed with docker.io/goacme/lego:latest (4.17.4) over DNS Challenge

ocis.pod

# vi: ft=systemd
[Pod]
PodName=ocis
PublishPort=9445:9200
PublishPort=9980:9980
PublishPort=9300:9300

collabora.container
ver 24.04.5.2.1

# vi: ft=systemd
[Unit]
Description=Container collabora
After=local-fs.target

[Container]
ContainerName=collabora
Image=docker.io/collabora/code:latest
UserNS=keep-id:uid=100,gid=101

Volume=%h/collaboraETC/proof_key:/etc/coolwsd/proof_key:Z
Volume=%h/collaboraETC/proof_key.pub:/etc/coolwsd/proof_key.pub
Volume=%h/legoCERT/certificates/collabora.example.net.crt:/etc/coolwsd/cert.pem:ro,z
Volume=%h/legoCERT/certificates/collabora.example.net.key:/etc/coolwsd/key.pem:ro,z
Volume=%h/legoCERT/certificates/collabora.example.net.issuer.crt:/etc/coolwsd/ca-chain.cert.pem:ro,z

Environment=aliasgroup1=https://wopi.example.net:9300
Environment=extra_params="--o:mount_namespaces=false --o:ssl.enable=true --o:welcome.enable=false --o:net.frame_ancestors=files.example.net --o:logging.level=debug"

Pod=ocis.pod
AutoUpdate=registry

[Service]
TimeoutStartSec=900
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target default.target

ocis.container
ver 6.1.0

# vi: ft=systemd
[Unit]
Description=Container ocis
After=local-fs.target

[Container]
ContainerName=ocis
Image=docker.io/owncloud/ocis-rolling:latest

UserNS=keep-id:uid=1000,gid=1000

Volume=%h/ocisCFG:/etc/ocis:Z
Volume=%h/ocisDATA:/var/lib/ocis:Z
Volume=%h/legoCERT/certificates/files.example.net.crt:/crt/files.example.net.crt:ro,z
Volume=%h/legoCERT/certificates/files.example.net.key:/crt/files.example.net.key:ro,z

Environment=OCIS_URL=https://files.example.net
Environment=OCIS_LOG_LEVEL=debug
Environment=PROXY_TLS=true
Environment=GATEWAY_GRPC_ADDR=0.0.0.0:9142
Environment=OCIS_INSECURE=false
Environment=PROXY_TRANSPORT_TLS_CERT=/crt/files.example.net.crt
Environment=PROXY_TRANSPORT_TLS_KEY=/crt/files.example.net.key
Environment=MICRO_REGISTRY_ADDRESS=127.0.0.1:9233
Environment=NATS_NATS_HOST=0.0.0.0
Environment=NATS_NATS_PORT=9233
Environment=PROXY_CSP_CONFIG_FILE_LOCATION=/etc/ocis/csp.yaml
Environment=COLLABORA_DOMAIN=collabora.example.net
Environment=COMPANION_DOMAIN=wopi.example.net
Environment=FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR=com.owncloud.api.collaboration.Collabora

Pod=ocis.pod
AutoUpdate=registry

[Service]
TimeoutStartSec=900
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target default.target

wopi.container
ver 6.1.0

# vi: ft=systemd
[Unit]
Description=Container ocis
After=local-fs.target

[Container]
ContainerName=wopi
Image=docker.io/owncloud/ocis-rolling:latest
Exec=collaboration server

UserNS=keep-id:uid=1000,gid=1000

Volume=%h/wopiCFG:/etc/ocis:Z
Volume=%h/legoCERT/certificates/wopi.example.net.crt:/crt/wopi.example.net.crt:ro,z
Volume=%h/legoCERT/certificates/wopi.example.net.key:/crt/wopi.example.net.key:ro,z

Environment=OCIS_HTTP_TLS_ENABLED=true
Environment=OCIS_HTTP_TLS_CERTIFICATE=/crt/wopi.example.net.crt
Environment=OCIS_HTTP_TLS_KEY=/crt/wopi.example.net.key
Environment=COLLABORATION_GRPC_ADDR=0.0.0.0:9301
Environment=COLLABORATION_HTTP_ADDR=0.0.0.0:9300
Environment=MICRO_REGISTRY=nats-js-kv
Environment=MICRO_REGISTRY_ADDRESS=localhost:9233
Environment=COLLABORATION_WOPI_SRC=https://wopi.example.net:9300
Environment=COLLABORATION_APP_NAME=Collabora
Environment=COLLABORATION_APP_ADDR=https://collabora.example.net:9980
Environment=COLLABORATION_APP_ICON=https://collabora.example.net:9980/favicon.ico
Environment=COLLABORATION_APP_INSECURE=false
Environment=COLLABORATION_CS3API_DATAGATEWAY_INSECURE=true
Environment=COLLABORATION_LOG_LEVEL=debug

Pod=ocis.pod
AutoUpdate=registry

[Service]
TimeoutStartSec=900
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target default.target
11

bug collabora latest

is only cause of the bug in latest collabora, you might dont need it.

generate proof_key
cant Exec= 2 commands in container, so I create them by myself

ssh-keygen -t rsa -N "" -m PEM -f "collaboraETC/proof_key"

here in…
collaboraETC/proof_key
collaboraETC/proof_key.pub

test each container, use https and the domain and port
should work for each container, try-error till collabora works, then wopi. no curl -k needed, if an error, chache config. -v for cert debug. curl -4 and curl -6 should give the return
curl https://collabora.example.net:9980/hosting/discovery
→ return lots of xml with proof key at the end

curl https://wopi.example.net:9300/wopi
→ return I’m a teapot

curl curl https://files.example.net:9445
→ return lots of html

12

running coolconfig generate-proof-key in the collabora container might be a better option, in case the command does more things (unlikely, but you never know).
You might want to run it as part of the container startup:

    command: ["bash", "-c", "coolconfig generate-proof-key ; /start-collabora-online.sh"]

Ports 9200 (for ocis) and 9980 (for collabora) are needed. Port 9300 (for wopi) shouldn’t need to be exposed, although it must be accessible from collabora.
You might want to expose port 9300 to easily test the collaboration service is running, but ideally all access to the WOPI server should be done through the internal docker network.

13

Only one exec possible in podman, as far as i know. Else I have to create an startup script. Didnt care…

Yes, the problem is, if I leave the container/pod (I do with connection to https://wopi.example.net:…) I cant connect from ocis and collabora to wopi. So I think removing all the wopi.example.net secure stuff and stay with wopi inside the container will be the best. Dont need any https or wopi.example.net domain stuff when staying inside the pod.
ATM the firewall does need port 9200 & 9980 /tcp open. Or haproxy forward to the container… But on the host atm I need to expose 9300 too, but its only on localhost. No connection from outside possible.

The other thing, I want to try is starting Collaboration on the ocis container, then there will be only collabora & ocis (with added collaboration server)

14

This is more or less what I have for the wopi container in my environment:

  wopiserver_co:
    image: owncloud/ocis-rolling
    networks:
      ocis-net:
    depends_on:
      collabora:
        condition: service_healthy
    command: ['/usr/bin/ocis', 'collaboration', 'server']
    environment:
      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
      MICRO_REGISTRY: "nats-js-kv"
      MICRO_REGISTRY_ADDRESS: "ocis:9233"
      COLLABORATION_WOPI_SRC: http://wopiserver_co:9300
      COLLABORATION_APP_NAME: "Collabora"
      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.jp.solidgear.prv}
      COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
      #COLLABORATION_APP_PROOF_DISABLE: true
      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"

      COLLABORATION_LOG_LEVEL: info
      OCIS_CONFIG_DIR: /etc/ocis/
    volumes:
      - ocis-config:/etc/ocis
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wopiserver_co.entrypoints=https"
      - "traefik.http.routers.wopiserver_co.rule=Host(`wopiserver_co.${DOMAIN:-owncloud.test}`)"
      - "traefik.http.routers.wopiserver_co.tls.certresolver=http"
      - "traefik.http.routers.wopiserver_co.service=wopiserver_co"
      - "traefik.http.services.wopiserver_co.loadbalancer.server.port=9300"
    logging:
      driver: "local"
    restart: always
15

got a working setup?

here everything works.

want to add secure view, but think it is not possible with the setup.

16

Late to the party.

I don’t know if you missed that part of the documentation.

We created a flexible modular docker example for different kinds of feature sets.

https://owncloud.dev/ocis/deployment/ocis_full/

17

beside, I cant change the default language to german. Maybe someone has a clue:
How to change collabora default language?

18

thx @micbar
great docs and hard to find :slight_smile:

Is there some magic key to set language for collabora. Won’t take the ocis user setting.
C.

19

You need v 6.1.0 to make the ocis language work in collabora.

20

I have ocis v6.1.0 ocis/wopi v6.1.0 and collabora/code 24.04.5.2.1
but, default is english.
image
image

image
image1218×360 29.8 KB