前言
近期在尝试 office 文档在线编辑和预览的一些解决方案, 目前在使用Collabora Office, 但是Collabora的docker镜像在OpenShift中运行不起来, 一直提示Operation not permitted.
Collabora Office 简介
Collabora Office 提供强大的Office 套件, 使您能够访问文档、编写新内容并协同工作。
- 可以在自己的服务器上安装套件
- 可以和其他应用(如:nextcloud owncloud等)或你自己的应用进行整合
- i18n级别的兼容性
- 协同编辑
- 可以完美融入进自己的解决方案
分析 - 需要哪些特权
Collabora的docker镜像在OpenShift中运行不起来, 一直提示Operation not permitted. 其实原因权限不允许, 它需要做的一些操作在OpenShift中是被禁止的(出于企业级安全的考虑). 所以我们将它需要的权限一项一项加上就好了.
要搞清楚它需要哪些权限, 我们可以看一下它的Dockerfile及其相关内容:
FROM ubuntu:16.04
# Environment variables
ENV domain localhost
ENV LC_CTYPE en_US.UTF-8
# Setup scripts for LibreOffice Online
ADD /scripts/install-libreoffice.sh /
ADD /scripts/start-libreoffice.sh /
RUN bash install-libreoffice.sh
EXPOSE 9980
# Entry point
CMD bash start-libreoffice.shdockerfile中如上所示, 这个文件虽然简单, 但是我们可以得到2个信息:
- 没有
USER指令, 那么这个镜像可能是需要root权限才能运行的. - 加入了2个脚本. 其中
start-libreoffice.sh是在容器启动的时候运行的, 所以主要来看一下这个脚本的内容:
#!/bin/sh
# Fix domain name resolution from jails
cp /etc/resolv.conf /etc/hosts /opt/lool/systemplate/etc/
if test "${DONT_GEN_SSL_CERT-set}" == set; then
# Generate new SSL certificate instead of using the default
mkdir -p /opt/ssl/
cd /opt/ssl/
mkdir -p certs/ca
openssl genrsa -out certs/ca/root.key.pem 2048
openssl req -x509 -new -nodes -key certs/ca/root.key.pem -days 9131 -out certs/ca/root.crt.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=Dummy Authority"
mkdir -p certs/{servers,tmp}
mkdir -p "certs/servers/localhost"
openssl genrsa -out "certs/servers/localhost/privkey.pem" 2048 -key "certs/servers/localhost/privkey.pem"
if test "${cert_domain-set}" == set; then
openssl req -key "certs/servers/localhost/privkey.pem" -new -sha256 -out "certs/tmp/localhost.csr.pem" -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost"
else
openssl req -key "certs/servers/localhost/privkey.pem" -new -sha256 -out "certs/tmp/localhost.csr.pem" -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=${cert_domain}"
fi
openssl x509 -req -in certs/tmp/localhost.csr.pem -CA certs/ca/root.crt.pem -CAkey certs/ca/root.key.pem -CAcreateserial -out certs/servers/localhost/cert.pem -days 9131
mv certs/servers/localhost/privkey.pem /etc/loolwsd/key.pem
mv certs/servers/localhost/cert.pem /etc/loolwsd/cert.pem
mv certs/ca/root.crt.pem /etc/loolwsd/ca-chain.cert.pem
fi
# Replace trusted host and set admin username and password
perl -pi -e "s/localhost</host>/${domain}</host>/g" /etc/loolwsd/loolwsd.xml
perl -pi -e "s/<username (.*)>.*</username>/<username 1>${username}</username>/" /etc/loolwsd/loolwsd.xml
perl -pi -e "s/<password (.*)>.*</password>/<password 1>${password}</password>/" /etc/loolwsd/loolwsd.xml
perl -pi -e "s/<server_name (.*)>.*</server_name>/<server_name 1>${server_name}</server_name>/" /etc/loolwsd/loolwsd.xml
perl -pi -e "s/<allowed_languages (.*)>.*</allowed_languages>/<allowed_languages 1>${dictionaries:-de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru}</allowed_languages>/" /etc/loolwsd/loolwsd.xml
# Restart when /etc/loolwsd/loolwsd.xml changes
[ -x /usr/bin/inotifywait -a /usr/bin/killall ] && (
/usr/bin/inotifywait -e modify /etc/loolwsd/loolwsd.xml
echo "$(ls -l /etc/loolwsd/loolwsd.xml) modified --> restarting"
/usr/bin/killall -1 loolwsd
) &
# Start loolwsd
su -c "/usr/bin/loolwsd --version --o:sys_template_path=/opt/lool/systemplate --o:lo_template_path=/opt/collaboraoffice6.0 --o:child_root_path=/opt/lool/child-roots --o:file_server_root_path=/usr/share/loolwsd ${extra_params}" -s /bin/bash lool仔细分析下脚本:
- 第一句
cp /etc/resolv.conf /etc/hosts /opt/lool/systemplate/etc/很明显就是需要root权限的. - 之后会进行生成证书的操作
- 然后会进行相关的变量替换操作
- 接下来是当
/etc/loolwsd/loolwsd.xml这个配置文件发生变化时进行重启, 注意这边又来了好几个特权操作:/usr/bin/inotifywait/usr/bin/killall
- 启动
loolwsd又是一个特权操作:su -c
初步总结需要的特权:
root用户inotifywaitkillallsu -c
