Question Permissions for User to run Docker?

[Telos]

As I frequently am toying with Docker, I wanted to do that from my User account, however, Docker is not listed among the Applications "Allow/Deny" tab.

What is a simple way to do this? I'd prefer to minimize the use of my administrator login. Is there a security issue I'm overlooking?

 

[one-eyed-king]

I am afraid docker is handled as part of dsm and not realy as standalone application. The fun thing is, it uses POST requests to the webapi/entry.cgi endpoint to delegate api commands to the SYNO.Docker.Container module that drives the docker-api using the docker.sock as root. I realy do hope non admin users are not able to see/use the docker ui, as this would be a major security problem. I am afraid you stumbled accros a valid change request towards Synology.

If it's about accessing the docker cli command as non root user, then adding the user to the docker usergroup does the trick (in edit user, tab "User Groups").

 

[Seaprobe]

Docker requires pretty powerful privileges, after all you are creating and killing processes with rights under various user and group IDs. Typically, one needs "sudo" to do anything useful with docker.

You could - and I haven't tried this - add your user account to the /etc/sudoers file, which Synology prefers by adding a file to the /etc/sudoers.d directory.

Oh, I just realized you meant the GUI app. No idea on that one although some spelunking through install scripts or config directories might yield a solution. That said, I'd assert using an admin account is exactly appropriate for this sort of high privilege administration.

 

[one-eyed-king]

Docker requires pretty powerful privileges, after all you are creating and killing processes with rights under various user and group IDs. Typically, one needs "sudo" to do anything useful with docker.

The docker engine is always run with root permissions! Granting access to the docker.sock is the only way to control access to the docker engine. This is why adding a user to the docker group is sufficient to allow them to access the docker.sock with the docker cli.

Though, since a year or so this is not entirely true:
- with "rootless docker" it is possible to run a (crippled) docker engine in userspace. It is far away from beeing as beginner friendly as the "normal" docker version is. I dind't realy feel like spending time on taming that beast - the limitations of it simply suck.
- you could use OPA to add further policies(~restrictions) even for non privileged users that have access to the docker.sock

 

[Telos]

Granting access to the docker.sock is the only way to control access to the docker engine.

You have a Docker group on Synology (from the Synology Package Center)? I don't. I have a docker user (which I may have created... I don't remember) and a docker shared folder (by DSM).

 

[namedNik]

You have a Docker group on Synology (from the Synology Package Center)? I don't. I have a docker user (which I may have created... I don't remember) and a docker shared folder (by DSM).

Yeap. Ditto here.

You have a Docker group?

I have the same as @Telos as in a docker shared folder - which I use for persistence - and what was a 'docker' user - which at some point I must've forgoten was auto-created - which I have since changed the name of. (Mind, everything still works.)

 

[one-eyed-king]

Seems I created the group myself and fixed the permissions.

Required Steps:
- create the group "docker" from the ui or cli (sudo synogroup --add docker)
- make it the group of the docker.sock: sudo chown root:docker /var/run/docker.sock
- assign the user to the docker group in the ui or cli (sudo synogroup --member docker {username})
- login into ssh as {username} and try (if you were already logged in before you created the group, logout and relogin)

On linux distros, the docker group is created during the installation of the docker package. The ownership there is root:docker. Seems I just re-created the behavior on my DS.

 

[namedNik]

create the group "docker" from the ui or cli

Interesting. I was wanting to cli manipulate /etc/passwd the other day - initially to ADD a user - and Synology didn't want a bar of it. You've had no issues cli manipulating /etc/group?

 

[one-eyed-king]

So far I only used synogroup --add and synogroup --member, both have been straight forward. No idea if other options are also that straight forward to use. At least for synouser --add I do remember that it was definitly not straigt forward. Back in the the days it took me a fair while to add a user by cli. Pitty, I didn't take any notes about how I solved it.

Update: oh, i missed your point. I don't edit /etc/group manualy. I always use the cli commands to achive the configuration I want.

 

[Telos]

Seems I created the group myself and fixed the permissions.

Does your home-rolled Docker group withstand a DSM update?

 

[one-eyed-king]

I must have created it ages ago and surely had severall updates of DSM and the docker package since... Honestly, it was that long ago that I didn't even remember at first that I created the group myself.

Replacing the owner group for docker.sock is irrelvant for the docker ui, as it will always drive the docker.sock as root.

 

[mrkgoh]

Seems I created the group myself and fixed the permissions.

Required Steps:
- create the group "docker" from the ui or cli (sudo synogroup --add docker)
- make it the group of the docker.sock: sudo chown root:docker /var/run/docker.sock
- assign the user to the docker group in the ui or cli (sudo synogroup --member docker {username})
- login into ssh as {username} and try (if you were already logged in before you created the group, logout and relogin)

On linux distros, the docker group is created during the installation of the docker package. The ownership there is root:docker. Seems I just re-created the behavior on my DS.

@one-eyed-king ,
I have tried your first step: sudo synogroup --add docker and encounter the following error:

admin@XXXXXXX:~$ sudo synogroup --add docker
Lastest SynoErr=[group_set.c:433]
SYNOLocalAccountGroupSet failed, synoerr=0x1700
admin@XXXXXXX:~$ sudo synogroup --get docker
Lastest SynoErr=[group_unpack.c:44]
SYNOGroupGet failed, synoerr=0x4000
admin@XXXXXXX:~$ sudo synogroup --descget docker
docker:[]
admin@XXXXXXX:~$ sudo synogroup --add docker admin
Lastest SynoErr=[group_set.c:433]
SYNOLocalAccountGroupSet failed, synoerr=0x1700
admin@XXXXXXX:~$ sudo chown root:docker /var/run/docker.sock
admin@XXXXXXX:~$ sudo synogroup --member docker admin
Lastest SynoErr=[group_unpack.c:44]
SYNOGroupGet failed, synoerr=0x4000

Do you know any reason why?

-- post merged: 9. Mar 2021 --

@one-eyed-king ,
I have tried your first step: sudo synogroup --add docker and encounter the following error:

admin@XXXXXXX:~$ sudo synogroup --add docker
Lastest SynoErr=[group_set.c:433]
SYNOLocalAccountGroupSet failed, synoerr=0x1700
admin@XXXXXXX:~$ sudo synogroup --get docker
Lastest SynoErr=[group_unpack.c:44]
SYNOGroupGet failed, synoerr=0x4000
admin@XXXXXXX:~$ sudo synogroup --descget docker
docker:[]
admin@XXXXXXX:~$ sudo synogroup --add docker admin
Lastest SynoErr=[group_set.c:433]
SYNOLocalAccountGroupSet failed, synoerr=0x1700
admin@XXXXXXX:~$ sudo chown root:docker /var/run/docker.sock
admin@XXXXXXX:~$ sudo synogroup --member docker admin
Lastest SynoErr=[group_unpack.c:44]
SYNOGroupGet failed, synoerr=0x4000

Do you know any reason why?

I have restarted the NAS and it all worked now.