Docker permissions - how and where?

Currently reading
Docker permissions - how and where?

3
0
NAS
DS718+
Hi I find this really frustrating that I do not understand how Docker on my DS781+ manages the permissions.
I noticed several tutorials suggest images from linuxserver.io which use either ubuntu or alpine based image linuxserver/docker-baseimage-alpine with S6 overlay then one can use PIGD and PUID to run the process.
But I could out find (yet) how to use it.

I'm trying to run the process as a user in the container with the mounted volume but I always get permission denied for the user inside the container (everything works if user in container is root).

I searched for hours and could not find the solution. Is there any guide/article/tutorial or reverse engineered documentation on how the user permission work and how to set them up?

I'd be glad if someone could tell me how to set up permissions to mounted volumes

Thank you!
 

SynoMan

Administrator
Moderator
Founder
692
359
www.synoforum.com
NAS
418play
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hi and welcome to the forum.

Maybe this resource can help:
 

Shadow

Subscriber
608
208
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Let me give you an example of how I managed to get my qBittorrent Docker container to work with a self-made non-human account. This was for me necesary so it will have access to place completed downloads in my movies folders without the need of the container to use root permissions.

Note: I use Synology LDAP .

After I created a non-human (service) account and added to the required access groups, with an LDAP browser I can search the PGID and PUID numbers I need:
1609414165074.png


So with this SSH command I can start my qBittorrent running with that account:

docker run --name=qbittorrent --restart=unless-stopped --net=container:nordvpn3 -e PUID=1000035 -e PGID=1000014 -e TZ=Europe/Amsterdam -e UMASK_SET=022 -e WEBUI_PORT=8090 -v /volume1/docker/qbittorrent/config:/config -v /volume1/docker/qbittorrent/downloads:/downloads -v /volume1/General/Movies:/gmovies -d linuxserver/qbittorrent
 
3
0
NAS
DS718+
Hi SynoMan, that was a quick response
I indeed know how to find UID and GUID, but the it was still not enough.

To answer my own question:
It looks like that UID of the user does not matter for mounted volumes.

What matters is GID and the permissions set via DSM.

example:



Users:

user in NAS: NasUser with UID=333
user in container: containerUser with UID=444

Groups:

in NAS Group created via DSM: docker-volume-access-group | GID=65568
in container: mouted-group | GID=888

Directories:

NAS: /volume1/<shared_directory>/docker_volumes with group user with GID=222

Container: /var/mounted with group GID=888


Now when we create a container with docker-compose up -d

YAML:
version: '3.7'
services:
  app:
    container_name: app
    image: "alpine:3.12"
    command: tail -f /dev/null
    volumes:
      - "/volume1/<shared_directory>/docker_volumes:/var/mounted"

Inside the container we expect this structure:
Code:
drwxrwxrwx    1 444     888             24 Dec 31 10:49 /var/mounted


We list the directory inside the container as containerUser with docker exec -u 444 app ls -lan /var/
we get this result

Code:
ls: can't open '/var/mounted': Permission denied

And we list the directory inside the container as root with docker exec app ls -lan /var/
we get this result
Code:
drwxrwxrwx    1 444     100             24 Dec 31 10:49 /var/mounted

This means that mounted volume is still owned by group 100 this is partially Synology/docker thing.

So to access the shared volume as our user containerUser we need to create a group docker-volume-access-group assign it to NasUser then use terminal inside NAS to get the GID of the group
Code:
id NasUser

uid=333(NasUser) gid=100(users) groups=100(users),65538(docker-volume-access-group)

Then give access to /volume1/<shared_directory>/docker_volumes via DSM group or file manager.

and then we should be able to list the content of /var/mounted like a so
docker exec -u 1:65538 teamspeak ls -lan /var/mounted

So setting GID inside the container must be the same as GID in NAS + have access to the files.
 
Matching the UID:GID of the folder owner on the host, and the user executing the main process usualy does the trick. Except when synoacl come into play, then just alligning the UID:GID might be insufficient - as metadata for the acl is known to the host, but unknown inside the container.
 
3
0
NAS
DS718+
Matching the UID:GID of the folder owner on the host, and the user executing the main process usualy does the trick. Except when synoacl come into play, then just alligning the UID:GID might be insufficient - as metadata for the acl is known to the host, but unknown inside the container.
I see it's quite tricky. I wish this was documented somewhere
 
True, I forget UMASK, which's value is subtracted from the actual linux permission mask. To quote one of my favorite tv shows: happy, happy, joy, joy!
 
4
1
NAS
DS1513+
i'm having a similar issue with docker and the mvance/unbound container. i can't figure out how to link external folders to the container in a way that doesn't end up with the container failing to start because it can't read the files in the shared directories.

i'm not sure i followed the above - do i start the container without the volume linking, then open a bash shell inside the container to see what the G/UIDs are, then figure out a way to change the permissions on the NAS side to match?
 
4
1
NAS
DS1513+
i'm having a similar issue with docker and the mvance/unbound container. i can't figure out how to link external folders to the container in a way that doesn't end up with the container failing to start because it can't read the files in the shared directories.

i'm not sure i followed the above - do i start the container without the volume linking, then open a bash shell inside the container to see what the G/UIDs are, then figure out a way to change the permissions on the NAS side to match?
i figured it out. there was no need to change permissions on the NAS, just edit the appropriate settings file to not try to open other files that didn't exist. node-red required ssh into the NAS to change the folder GID to 1000, but so far the rest of the containers have been working well out of the box... once you figure out where the errors are coming from.
 
2
0
NAS
DS1019+
Operating system
  1. Windows
Mobile operating system
  1. Android
Guys, can please help a noobie :)

All I want to do is run some containers using pre-built images and I'm not sure who to shoot... Docker or Synology.

Some of my containers work fine... I put in the UID/GID of my account that has R/W access on the 'data' folder tree
Other containers, using only the same 'data' folder tree and UID/GID only get read access, not write. Thus, I cant save files.
All of them work fine in the 'Docker' tree, where the configs are saved.

thx for the help!
 

Rusty

Moderator
NAS Support
2,845
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Guys, can please help a noobie :)

All I want to do is run some containers using pre-built images and I'm not sure who to shoot... Docker or Synology.

Some of my containers work fine... I put in the UID/GID of my account that has R/W access on the 'data' folder tree
Other containers, using only the same 'data' folder tree and UID/GID only get read access, not write. Thus, I cant save files.
All of them work fine in the 'Docker' tree, where the configs are saved.

thx for the help!
What specific repo/image is in question?
 
2
0
NAS
DS1019+
Operating system
  1. Windows
Mobile operating system
  1. Android
What specific repo/image is in question?

issues with...
wiorca/docker-windscribe-qbittorrent
kabe0/deluge-windscribe/

working fine...
portainer/portainer-ce
linuxserver/radarr:latest
linuxserver/sonarr:latest
linuxserver/jackett:latest
linuxserver/deluge:latest

I'm trying to get a VPN working with a torrent client. I'm open to running a separate VPN container and routing other containers to it but I cant find good info (for noobies) on how to update existing containers to use a separate VPN container, without rebuilding and losing container config ... meaning, can I just run a command or mod an existing container like jackett so I dont kill the settings I already have for the app

thx for the help!
 

Rusty

Moderator
NAS Support
2,845
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
issues with...
wiorca/docker-windscribe-qbittorrent
kabe0/deluge-windscribe/

working fine...
portainer/portainer-ce
linuxserver/radarr:latest
linuxserver/sonarr:latest
linuxserver/jackett:latest
linuxserver/deluge:latest

I'm trying to get a VPN working with a torrent client. I'm open to running a separate VPN container and routing other containers to it but I cant find good info (for noobies) on how to update existing containers to use a separate VPN container, without rebuilding and losing container config ... meaning, can I just run a command or mod an existing container like jackett so I dont kill the settings I already have for the app

thx for the help!
Try this torrent client with vpn

 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Top