Docker permissions - how and where?

Currently reading
Docker permissions - how and where?

Hi I find this really frustrating that I do not understand how Docker on my DS781+ manages the permissions.
I noticed several tutorials suggest images from linuxserver.io which use either ubuntu or alpine based image linuxserver/docker-baseimage-alpine with S6 overlay then one can use PIGD and PUID to run the process.
But I could out find (yet) how to use it.

I'm trying to run the process as a user in the container with the mounted volume but I always get permission denied for the user inside the container (everything works if user in container is root).

I searched for hours and could not find the solution. Is there any guide/article/tutorial or reverse engineered documentation on how the user permission work and how to set them up?

I'd be glad if someone could tell me how to set up permissions to mounted volumes

Thank you!
 
Hi and welcome to the forum.

Maybe this resource can help:
 
Let me give you an example of how I managed to get my qBittorrent Docker container to work with a self-made non-human account. This was for me necesary so it will have access to place completed downloads in my movies folders without the need of the container to use root permissions.

Note: I use Synology LDAP .

After I created a non-human (service) account and added to the required access groups, with an LDAP browser I can search the PGID and PUID numbers I need:
1609414165074.png


So with this SSH command I can start my qBittorrent running with that account:

docker run --name=qbittorrent --restart=unless-stopped --net=container:nordvpn3 -e PUID=1000035 -e PGID=1000014 -e TZ=Europe/Amsterdam -e UMASK_SET=022 -e WEBUI_PORT=8090 -v /volume1/docker/qbittorrent/config:/config -v /volume1/docker/qbittorrent/downloads:/downloads -v /volume1/General/Movies:/gmovies -d linuxserver/qbittorrent
 
Hi SynoMan, that was a quick response
I indeed know how to find UID and GUID, but the it was still not enough.

To answer my own question:
It looks like that UID of the user does not matter for mounted volumes.

What matters is GID and the permissions set via DSM.

example:



Users:

user in NAS: NasUser with UID=333
user in container: containerUser with UID=444

Groups:

in NAS Group created via DSM: docker-volume-access-group | GID=65568
in container: mouted-group | GID=888

Directories:

NAS: /volume1/<shared_directory>/docker_volumes with group user with GID=222

Container: /var/mounted with group GID=888


Now when we create a container with docker-compose up -d

YAML:
version: '3.7'
services:
  app:
    container_name: app
    image: "alpine:3.12"
    command: tail -f /dev/null
    volumes:
      - "/volume1/<shared_directory>/docker_volumes:/var/mounted"

Inside the container we expect this structure:
Code:
drwxrwxrwx    1 444     888             24 Dec 31 10:49 /var/mounted


We list the directory inside the container as containerUser with docker exec -u 444 app ls -lan /var/
we get this result

Code:
ls: can't open '/var/mounted': Permission denied

And we list the directory inside the container as root with docker exec app ls -lan /var/
we get this result
Code:
drwxrwxrwx    1 444     100             24 Dec 31 10:49 /var/mounted

This means that mounted volume is still owned by group 100 this is partially Synology/docker thing.

So to access the shared volume as our user containerUser we need to create a group docker-volume-access-group assign it to NasUser then use terminal inside NAS to get the GID of the group
Code:
id NasUser

uid=333(NasUser) gid=100(users) groups=100(users),65538(docker-volume-access-group)

Then give access to /volume1/<shared_directory>/docker_volumes via DSM group or file manager.

and then we should be able to list the content of /var/mounted like a so
docker exec -u 1:65538 teamspeak ls -lan /var/mounted

So setting GID inside the container must be the same as GID in NAS + have access to the files.
 
Matching the UID:GID of the folder owner on the host, and the user executing the main process usualy does the trick. Except when synoacl come into play, then just alligning the UID:GID might be insufficient - as metadata for the acl is known to the host, but unknown inside the container.
 
Matching the UID:GID of the folder owner on the host, and the user executing the main process usualy does the trick. Except when synoacl come into play, then just alligning the UID:GID might be insufficient - as metadata for the acl is known to the host, but unknown inside the container.
I see it's quite tricky. I wish this was documented somewhere
 
i'm having a similar issue with docker and the mvance/unbound container. i can't figure out how to link external folders to the container in a way that doesn't end up with the container failing to start because it can't read the files in the shared directories.

i'm not sure i followed the above - do i start the container without the volume linking, then open a bash shell inside the container to see what the G/UIDs are, then figure out a way to change the permissions on the NAS side to match?
 
i'm having a similar issue with docker and the mvance/unbound container. i can't figure out how to link external folders to the container in a way that doesn't end up with the container failing to start because it can't read the files in the shared directories.

i'm not sure i followed the above - do i start the container without the volume linking, then open a bash shell inside the container to see what the G/UIDs are, then figure out a way to change the permissions on the NAS side to match?
i figured it out. there was no need to change permissions on the NAS, just edit the appropriate settings file to not try to open other files that didn't exist. node-red required ssh into the NAS to change the folder GID to 1000, but so far the rest of the containers have been working well out of the box... once you figure out where the errors are coming from.
 
Guys, can please help a noobie :)

All I want to do is run some containers using pre-built images and I'm not sure who to shoot... Docker or Synology.

Some of my containers work fine... I put in the UID/GID of my account that has R/W access on the 'data' folder tree
Other containers, using only the same 'data' folder tree and UID/GID only get read access, not write. Thus, I cant save files.
All of them work fine in the 'Docker' tree, where the configs are saved.

thx for the help!
 
Guys, can please help a noobie :)

All I want to do is run some containers using pre-built images and I'm not sure who to shoot... Docker or Synology.

Some of my containers work fine... I put in the UID/GID of my account that has R/W access on the 'data' folder tree
Other containers, using only the same 'data' folder tree and UID/GID only get read access, not write. Thus, I cant save files.
All of them work fine in the 'Docker' tree, where the configs are saved.

thx for the help!
What specific repo/image is in question?
 
What specific repo/image is in question?

issues with...
wiorca/docker-windscribe-qbittorrent
kabe0/deluge-windscribe/

working fine...
portainer/portainer-ce
linuxserver/radarr:latest
linuxserver/sonarr:latest
linuxserver/jackett:latest
linuxserver/deluge:latest

I'm trying to get a VPN working with a torrent client. I'm open to running a separate VPN container and routing other containers to it but I cant find good info (for noobies) on how to update existing containers to use a separate VPN container, without rebuilding and losing container config ... meaning, can I just run a command or mod an existing container like jackett so I dont kill the settings I already have for the app

thx for the help!
 
issues with...
wiorca/docker-windscribe-qbittorrent
kabe0/deluge-windscribe/

working fine...
portainer/portainer-ce
linuxserver/radarr:latest
linuxserver/sonarr:latest
linuxserver/jackett:latest
linuxserver/deluge:latest

I'm trying to get a VPN working with a torrent client. I'm open to running a separate VPN container and routing other containers to it but I cant find good info (for noobies) on how to update existing containers to use a separate VPN container, without rebuilding and losing container config ... meaning, can I just run a command or mod an existing container like jackett so I dont kill the settings I already have for the app

thx for the help!
Try this torrent client with vpn

 
Try this torrent client with vpn

Just tried it. and seem to have the same problem folder perms issue... read = yes, write = no
Config'd exactly as shows here... Docker Hub

Used Enviro for all items, including PUID/GUID for my admin acct 1027/101
plus...
VPN User/PW
/downloads volume mapped to /volume1/media/downloads
/config volume mapped to /volume1/docker/markusmcnugen-qbittorrentvpn
OVPN in /volume1/docker/markusmcnugen-qbittorrentvpn/openvpn
 
Just tried it. and seem to have the same problem folder perms issue... read = yes, write = no
Config'd exactly as shows here... Docker Hub

Used Enviro for all items, including PUID/GUID for my admin acct 1027/101
plus...
VPN User/PW
/downloads volume mapped to /volume1/media/downloads
/config volume mapped to /volume1/docker/markusmcnugen-qbittorrentvpn
OVPN in /volume1/docker/markusmcnugen-qbittorrentvpn/openvpn
You need to use PUID / PGID
 
What exac
Just tried it. and seem to have the same problem folder perms issue... read = yes, write = no
Config'd exactly as shows here... Docker Hub

Used Enviro for all items, including PUID/GUID for my admin acct 1027/101
plus...
VPN User/PW
/downloads volume mapped to /volume1/media/downloads
/config volume mapped to /volume1/docker/markusmcnugen-qbittorrentvpn
OVPN in /volume1/docker/markusmcnugen-qbittorrentvpn/openvpn
What exact error are you getting with this container?
 
You need to use PUID / PGID
Yes I did... just a typo in the post
What exac

What exact error are you getting with this container?
Not sure what you are looking for... the container itself doesnt throw an error.

When qBit tries to write to the /downloads folder structure it fails (set watch folder, start writing after pulling in a .torrent file, etc) t

Looks like inside the app/container only has RW perms to the /config folder (when I set anything to write here its fine) BUT only Read to the /downloads volume ... BUT with the linuxserver.io Deluge container it works 100% using the same folder structure, same PUID/PGID (my admin account)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Solved
Brilliant, thanks again (y) 1638624696 It's working fine now, thanks very much for your help (y)
Replies
4
Views
3,174
@one-eyed-king , I have tried your first step: sudo synogroup --add docker and encounter the following...
Replies
11
Views
30,658
OK... That seemed to work when I changed the group from user to administrators (while using an...
Replies
6
Views
10,527
I can’t find any option to restore just the settings. 1710356648 Phew, managed to fix it. Within the...
Replies
4
Views
394
Good to hear. Deluge has not been updated for almost two years now as an app, nevertheless. But it gives...
Replies
12
Views
963
  • Question
Open an issue on that GitHub page. The developers will be glad to assist. OP has posted two threads on...
Replies
5
Views
965

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top