Docker usr & usergroup

[iStone]

Gents:

There is a concern I want to hear your solutions:

• You may have set up several docker/containers with root/admin, e.g. Homebridge/Linux/other servers, running under the only user of root/admin;
• But SynoNAS persistently asks you to deactivate the account of admin/root due to security concerns, warn& notify in DSM that you should disable that from time to time( quite annoying);

I have also several docker/containers running under root, with interaction to DSM host system, e.g. SQL server, in order to conform with the securityadvise, I switched off admin account, but then I encounter with lots problems and have to re-setup the interactions. e.g. setup new user at docker/container & assign it to admin group and the previous data directories, etc.

Anyone has a more systematic solution, what would be the "best practice" ?

Thanks and Regards

 

[technorabilia]

I think what you described is the best practice. That is what I did. Takes a bit of effort, but imo this is the best approach.

 

[iStone]

I think what you described is the best practice. That is what I did. Takes a bit of effort, but imo this is the best approach.

haha

you may know SynoNAs even doesn't have the command of groups, evenif you sudo groups: sudo: groups: command not found
so tiresome!
ref.:

• https://www.dark-hamster.com/operating-system/how-to-add-a-user-to-a-group-in-synology-network-attached-storage/
• How to add a user to a group in Synology Network Attached Storage - Just Another Sharing Site ...

 

[technorabilia]

You can use the GUI for that? Control Panel, Users?

If you want to change uid/gid you can use the command line util synouidmod (3rd party) or change /etc/passwd and /etc/group and synouser --rebuild all. At your own risk.

Or use chown -R user:group /path/to/dir to recursively change ownership.

 

[one-eyed-king]

This should be the Synology counterpart:

sudo synogroup --add docker
sudo synogroup  --member docker ${username}
sudo chown root:docker /run/docker.sock
sudo chmod 0660 /run/docker.sock # in case the unix permissions are not already set to 0660

Warning: be aware that synogroup --member ${groupname} ${username} will set(!) the one or more usernames you provide as the members of the group! If you apply this command to a previosly existing group with members, the list of members will be replaced with the usernames you specify here.

update: the last link in iStones 2nd post covers --add with assigning the member to the group in a single command. Since a new group can't have members there is no risk to remove existing members of the group