Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Info DSM 7 RC Docker VPN breakage | A solution

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

Telos

Subscriber
4,402
1,499
NAS
DS4l8play, DS202j, DS3623xs+, DSM 8.025847-𝘣𝘦𝘵𝘢
Just a heads-up... There are many recent reports about RC breaking vpn dockers... openvpn, qbittorrentvpn, transmissionvpn, etc. Apparently, Synology's handling of root access changed between "beta" and "RC".

A "solution" has appeared requiring the use of "cap_add" : NET_ADMIN alongside dropping "privileged" : true

This requires docker compose, in lieu of Synology's Docker WebGUI.

Hopefully this will aid others, as my guess is that the RC changes won't be rolling back due to Synology's decision to harden of root privileges in DSM 7.
 
I wonder why they are making these kind of changes so "late" in the development cycle.

Breaking that much functionality doesn't seem something that should happen in a "RC" named release.

Could it be a "response" to qlocker and the general state of ransomware attacks?
 
My take is that Synology is attempting to shore up weak security, and so the root changes should be beneficial.

As you stated, this should not be first appearing with an RC release. Clearly DSM7 roll-out is significantly delayed, and I suspect that the premature RC release (in reality, "beta 2") is a cultural phenomenon to "save face". I also expect the official release to contain significant changes which break RC-compatible packages. Synology has always been loose with their releases, often replacing bad releases with patches under the same release/build number.
 
Last edited:
My take is that Synology is attempting to shore up weak security, and so the root changes should be beneficial.
I'd agree with this too.

It's something of a conflict for Synology in that they market an appliance that is also capable of much more via command line manipulation. That's without hacking the DSM OS but by just using command line utility options that aren't exposed via the web GUI.

But I'd wager that a lot of modifications are by people following instructions that someone has devised, in good faith, but may not be the most secure: which user/group do you use to run an executable, does it have to be so privileged? what access permissions do the exectables, files and folders have to be?

It's difficult to know the minimum privilege and permissions to enable things to run, and harder when following instructions that may not be for your system.

There will always be ways around security controls but I think it's better to enable these to protect the core functions, and so your most novice users. More advanced users will work out how to adapt, but remember this isn't a general purpose server even if it comes with packages that make it do so much more than file serving.

While DSM 7 is not in general availability then I'm not too worried about things changing and packages having to catch up.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

There must be already be some sort of dependency, as the deluge service joins the network namespace of the...
Replies
6
Views
891
Ok got this running.. But how do I specify the custom_user/password settings in the yaml-file? EDIT...
Replies
7
Views
1,264
For the heck of it, I just checked again in docker container, and it announced an update was available. I...
Replies
4
Views
1,137
  • Question Question
Do realize, that enabling any user to run docker containers is largely the same as giving that user full...
Replies
6
Views
1,978
Hello, I already have it configured perfectly with wireguard. I was looking at the Gluetun configuration...
Replies
4
Views
1,776
Thanks... I tried something similar with rsync. The docker volume lived in...
Replies
7
Views
2,214

Thread Tags

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top