Info DSM 7 RC Docker VPN breakage | A solution

Currently reading
Info DSM 7 RC Docker VPN breakage | A solution

4,027
1,378
NAS
DS4l8play, DS202j, DS3623xs+, DSM 7.3.3-25847
Just a heads-up... There are many recent reports about RC breaking vpn dockers... openvpn, qbittorrentvpn, transmissionvpn, etc. Apparently, Synology's handling of root access changed between "beta" and "RC".

A "solution" has appeared requiring the use of "cap_add" : NET_ADMIN alongside dropping "privileged" : true

This requires docker compose, in lieu of Synology's Docker WebGUI.

Hopefully this will aid others, as my guess is that the RC changes won't be rolling back due to Synology's decision to harden of root privileges in DSM 7.
 
I wonder why they are making these kind of changes so "late" in the development cycle.

Breaking that much functionality doesn't seem something that should happen in a "RC" named release.

Could it be a "response" to qlocker and the general state of ransomware attacks?
 
My take is that Synology is attempting to shore up weak security, and so the root changes should be beneficial.

As you stated, this should not be first appearing with an RC release. Clearly DSM7 roll-out is significantly delayed, and I suspect that the premature RC release (in reality, "beta 2") is a cultural phenomenon to "save face". I also expect the official release to contain significant changes which break RC-compatible packages. Synology has always been loose with their releases, often replacing bad releases with patches under the same release/build number.
 
Last edited:
My take is that Synology is attempting to shore up weak security, and so the root changes should be beneficial.
I'd agree with this too.

It's something of a conflict for Synology in that they market an appliance that is also capable of much more via command line manipulation. That's without hacking the DSM OS but by just using command line utility options that aren't exposed via the web GUI.

But I'd wager that a lot of modifications are by people following instructions that someone has devised, in good faith, but may not be the most secure: which user/group do you use to run an executable, does it have to be so privileged? what access permissions do the exectables, files and folders have to be?

It's difficult to know the minimum privilege and permissions to enable things to run, and harder when following instructions that may not be for your system.

There will always be ways around security controls but I think it's better to enable these to protect the core functions, and so your most novice users. More advanced users will work out how to adapt, but remember this isn't a general purpose server even if it comes with packages that make it do so much more than file serving.

While DSM 7 is not in general availability then I'm not too worried about things changing and packages having to catch up.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
If your NAS indeed is a DS416j, then I am afraid your memory is playing a trick on you. The cpu of the...
Replies
4
Views
9,531
  • Solved
That is interesting to know. Thank you! Probably nothing. And after some further consideration, I feel...
Replies
4
Views
2,071
I think the gist is that using Docker would allow access to install these monitoring tools. But as already...
Replies
5
Views
6,525
  • Question
I will do. I had not though about that user having full access to the entire NAS. :confused:
Replies
2
Views
1,161
  • Solved
Solved. Thank you fredbert! Documentation: Place files docker-compose.yml and resolv.conf (see below)...
Replies
2
Views
3,742
Breaking my previous promise, I'll share the solution that has been working for several weeks now. Reason...
Replies
19
Views
12,078
  • Question
Yes I guess your are stuck...but that dependence on what you are using ddsm for. You always have the...
Replies
9
Views
3,735

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top