Server audit -> Performance "always poor"

[nooblag]

Describe the Bug

Dialog box always says "server is configured with insufficient hardware resources, which may lead to poor performance" even when following or exceeding recommended performance settings at the SDK link provided in the dialog box: https://sdk.collaboraonline.com/docs/installation/Configuration.html#performance

Steps to Reproduce

1. Open document
2. Click "open" against "check security warnings on your server" dialog
3. Dialog shows "server is configured with insufficient hardware resources, which may lead to poor performance" even when following or exceeding recommended performance settings at the SDK link provided in the dialog box.

Expected Behavior

No warning

Actual Behavior

"Server is configured with insufficient hardware resources, which may lead to poor performance" even when following or exceeding recommended performance settings at the SDK link provided in the dialog box

Screenshots

Server

COOLWSD version: 24.04.7.2
LOKit version: Collabora Office 24.04.7.2
Served by: Ubuntu 22.04.5 LTS
RAM: 4.68GB
Swap: 2GB
CPUs: 3x

Firefox 130.0.1

[thebearon]

This warning is issued if std::thread::hardware_concurrency() (details here) is less than 4.

Code reference:

online/wsd/COOLWSD.cpp

Line 2736 in d4bb908

if (nThreads < 4)

I'm not sure about this warning, either, because as far as I can see no configuration can affect it (assigning more physical cores to the server does).

@eszkadev, what would be your thoughts?

[thebearon]

On a sidenote, since std::thread::hardware_concurrency() returning 0 is a special case, I wouldn't simply set nThreads to 1 in that case.

[eszkadev]

You mentioned CPUs: 3x <- I think it is related to you machine or vm or container CPU number, not limits in the coolwsd.

[thebearon]

@eszkadev The SDK page the admins are directed to isn't very helpful.

[hfiguiere]

how can we improve it?

[nooblag]

If this is related to available CPU cores (?), fair enough -- but just to report, I also get the same warning when setting num_prespawn_children to 5.

I also agree the documentation in its current state is poor. I can't find any info there about minimum system specifications/requirements for example, nor suggestions to fix the server auditing warning, etc.

And also what to do, if like me, adding CPU cores isn't an (easy) option?

[megvadulthangya]

Hi GUYZ!
I get this same message in code when i open any docs...

I just moved from bookworm to alpine linux.

Before i moved all was fine, never see this msg. Any idea?

[eszkadev]

If this is related to available CPU cores (?), fair enough -- but just to report, I also get the same warning when setting num_prespawn_children to 5.

num_prespawn_children is not for that. it defines how many "waiting" instances ready for loading document we keep.

The error is about processing power of your system. You need 4 or more threads. Best to check the VM / container settings. Please assign more virtual CPUs. On any modern bare metal machine it should be fine :)

Also there is max_concurrency setting in coolwsd. That also could be important (The maximum number of threads to use while processing a document.).

I hope this will solve the problem for you

[nooblag]

Thanks for getting back.

So it sounds like two things might be needed to fix this issue?

1. Improve the documentation
2. Improve the UI for that dialog box so the performance warning can be 'ignored'?

Re the point on "you need 4 or more threads" -- if this is the case, I think it should say so in the documentation. As I say, I could not find anything on minimum expected requirements. Seems important, especially if the code base is testing against them.

To improve the UI then, perhaps a way to turn this warning off for a system that will never have more than 3 threads (like mine, as adding CPUs to our platform is prohibited due to cost constraints)?

[megvadulthangya]

DEV guyz! Is it possible to just disable the annoying popup about this

"Check security warnings about your server"

I really dont want to see that bullcrapp when i open a document.

[BiglifeMatt]

My Collabora settings are default. My VM is allowed 2 cores and running 16 GB RAM. Not sure where the error message is coming into play. Does it need 4 cores? That seems new. Do I need to increase the settings beyond the defaults?

[jacobgkau]

The error is about processing power of your system. You need 4 or more threads. Best to check the VM / container settings. Please assign more virtual CPUs. On any modern bare metal machine it should be fine :)

You may be a developer of the program, but you're just wrong in saying I "need" 4 or more threads. My virtual machine has two cores, and Collabora is working fine, other than now giving me a multi-second popup warning every time I open a document.

Can we get an option to disable the "Check security warnings of your server" popup, if it's going to include things completely unrelated to security that aren't actually an issue?

[eszkadev]

That popup was introduced to make administrators aware of potential issues. You are right - it's not required, but recommended to provide best experience.

As general rule is to not use administrator accounts for regular work - that's why we decided to put this popup only for users who are marked as administrator by the integration (document provider like Nextcloud). As a quick fix in current version you can try to use non-priviledged user account - it shouldn't show that warning.

[jacobgkau]

As general rule is to not use administrator accounts for regular work - that's why we decided to put this popup only for users who are marked as administrator by the integration (document provider like Nextcloud). As a quick fix in current version you can try to use non-priviledged user account - it shouldn't show that warning.

What? Can you point to any official Nextcloud documentation that suggests I should need to create two users for my single-user server?

It makes sense to not show any warnings to non-admins, but you're now making quite a large statement about the correct configuration for Nextcloud, and I don't agree that it's related to the UX issue of this pop-up. If you wanted people to not use privileged accounts, you could just make a toast about that (which would probably get more complaints)-- with this, you're not warning anyone who's using a privileged account if they happen to have 4 or more cores, because the account being privileged is not what the warning's about.

Also, if admins are not intended to use their admin accounts for "regular work" (which would include document editing), why are there any notifications in the Collabora editor interface at all? If an admin does as you say and never edits documents with that account, only using a non-privileged account, then they will never see any of the notifications, and they'll all be pointless.

[eszkadev]

I do not say it's correct Nextcloud configuration. I said Nextcloud is an example of "document provider" / "integration" I mentioned in my answer.

Usage of a regular user account is just a "quick fix" proposal (until we solve the problem). I proposed that as it's a common security-improving-pattern: "as general rule is to not use administrator accounts for regular work" and might work for some users. Not any dedicated solution for COOL or NC, I'm sorry if I made it unclear :)

Yes - it is a good solution to provide option to disable popup for admin user (as an intentional step by changing the coolwsd.xml for example). So if someone is confident - can ignore the popup.

[eszkadev]

I forgot there is a setting to disable server audit in coolwsd.xml already:
https://github.com/CollaboraOnline/online/blob/master/coolwsd.xml.in#L122

inside logging section:

<disable_server_audit type="bool" desc="Disabled server audit dialog and notification. Admin will no longer see warnings in the application user interface. This doesn't affect log file." default="false">false</disable_server_audit>

[eszkadev]

Does that solve your issue? Can we close the ticket?

[jacobgkau]

Does that solve your issue? Can we close the ticket?

The crux of the issue here is that the server having less than four cores is not a security issue. It would be nice to be able to still see pop-ups for actual security-related issues, without this unrelated thing causing the pop-up. Does that make sense?

If the pop-up is intended to be about any server configuration and not just security, then the verbiage should be changed from "Check security warnings of your server" to something else, like "Check your server configuration."

[jacobgkau]

Regarding the heavy-handed disable_server_audit setting, I tried applying it to my Podman container using -e "disable_server_audit=true", but it did not change the behavior. Is there a way to configure this via an environment variable? If not, what's the recommended way to configure it in a container? I didn't previously need to mount any config files/directories in order to perform configuration for the container (I had server_name=... and dictionaries=... configured via environment variables).

[eszkadev]

Regarding the heavy-handed disable_server_audit setting, I tried applying it to my Podman container using -e "disable_server_audit=true", but it did not change the behavior. Is there a way to configure this via an environment variable? If not, what's the recommended way to configure it in a container? I didn't previously need to mount any config files/directories in order to perform configuration for the container (I had server_name=... and dictionaries=... configured via environment variables).

@jacobgkau disable_server_audit is inside logging section (#10092 (comment)).
You need full path to variable: logging.disable_server_audit probably?

[eszkadev]

If the pop-up is intended to be about any server configuration and not just security, then the verbiage should be changed from "Check security warnings of your server" to something else, like "Check your server configuration."

I see, so "security" word is confusing now.

Previously we didn't have performance warning there, but CPU number seems to be popular cause of issues - so it was added, without popup change.

[eszkadev]

@Darshan-upadhyay1110 it is a good candidate for an easy hack :) #hacktoberfest

[bjo81]

Previously we didn't have performance warning there, but CPU number seems to be popular cause of issues - so it was added, without popup change.

Maybe another config option like "ignore hardware requirements" would be an option? Setting it would make admins aware of potential issues, but e.g. I'm running Collabora now on a box with 2 cores for a Nextcloud used by 3 users. I think it's unlikely that we run into issues, but providing a Collabora instance for 20 users with only 2 cores would be bad for sure.

[jacobgkau]

You need full path to variable: logging.disable_server_audit probably?

I've just tried applying that, and I still see the pop-up after restarting the container with that setting. Could there be another format for a nested setting?

I agree with @bjo81, it would be ideal if security configuration issues and non-security related, possibly-not-configuration-related hardware requirement suggestions were separate settings. Modified verbiage and figuring out how to apply the setting properly would at least be a big improvement, though.

[nooblag]

Previously we didn't have performance warning there, but CPU number seems to be popular cause of issues - so it was added, without popup change.

Maybe another config option like "ignore hardware requirements" would be an option? Setting it would make admins aware of potential issues, but e.g. I'm running Collabora now on a box with 2 cores for a Nextcloud used by 3 users. I think it's unlikely that we run into issues, but providing a Collabora instance for 20 users with only 2 cores would be bad for sure.

Yes. Improving documentation to explain that relationship re users -> cores would also be helpful. As well as the rationale about the '4 cores' minimum spec, etc. As in OP, this link the dialog points to says nothing about any of this.

[thebearon]

I've just tried applying that, and I still see the pop-up after restarting the container with that setting. Could there be another format for a nested setting?

This is the correct syntax: -e "extra_params=--o:logging.disable_server_audit=true"

See the following page for reference: https://sdk.collaboraonline.com/docs/installation/CODE_Docker_image.html

[jacobgkau]

@thebearon Thank you, the extra_params=--o: syntax was obviously what I was missing. I can now confirm applying that setting does work as a workaround to disable the pop-up altogether.

[UltimateByte]

Hi,

I'll give my 2 cents to sum up what made sense to me on this thread in order to help CollaboraOnline team to address the issue efficiently:

• Not having enough cores is by no means a "security issue", so that is alarming for no reason and needs to be addressed.
  ("If you cry wolf too many times, no one will believe you when the wolf actually comes.")
• Provided documentation is quite helpless as the warning is about hardware requirements, while the documentation only talks about software settings. This should point to actual hardware requirements. SDK: hardware-requirements
• Disabling all audits or warnings is not a valid long term option as we need to know actual security issues.
• Many (if not most) of us don't need a 4 cores VM for their use while a 2 cores is barely used already. The best way to implement this would be to only trigger a warning if CPU is frequently saturated by Collabora. But not a security warning, something else.

I hope this helps nailing down the problem, and possible solution.