Question Permissions for User to run Docker?

Currently reading
Question Permissions for User to run Docker?

Telos

Telos

914
313
NAS
DS418play, DS213j, DSM 7.0.1-14401
As I frequently am toying with Docker, I wanted to do that from my User account, however, Docker is not listed among the Applications "Allow/Deny" tab.

What is a simple way to do this? I'd prefer to minimize the use of my administrator login. Is there a security issue I'm overlooking?
 
one-eyed-king

one-eyed-king

289
129
I am afraid docker is handled as part of dsm and not realy as standalone application. The fun thing is, it uses POST requests to the webapi/entry.cgi endpoint to delegate api commands to the SYNO.Docker.Container module that drives the docker-api using the docker.sock as root. I realy do hope non admin users are not able to see/use the docker ui, as this would be a major security problem. I am afraid you stumbled accros a valid change request towards Synology.

If it's about accessing the docker cli command as non root user, then adding the user to the docker usergroup does the trick (in edit user, tab "User Groups").
 
Seaprobe

Seaprobe

16
9
NAS
DS218+
Operating system
macOS
Mobile operating system
iOS
Docker requires pretty powerful privileges, after all you are creating and killing processes with rights under various user and group IDs. Typically, one needs "sudo" to do anything useful with docker.

You could - and I haven't tried this - add your user account to the /etc/sudoers file, which Synology prefers by adding a file to the /etc/sudoers.d directory.

Oh, I just realized you meant the GUI app. No idea on that one although some spelunking through install scripts or config directories might yield a solution. That said, I'd assert using an admin account is exactly appropriate for this sort of high privilege administration.
 
one-eyed-king

one-eyed-king

289
129
Seaprobe said:
Docker requires pretty powerful privileges, after all you are creating and killing processes with rights under various user and group IDs. Typically, one needs "sudo" to do anything useful with docker.
Click to expand...
The docker engine is always run with root permissions! Granting access to the docker.sock is the only way to control access to the docker engine. This is why adding a user to the docker group is sufficient to allow them to access the docker.sock with the docker cli.

Though, since a year or so this is not entirely true:
- with "rootless docker" it is possible to run a (crippled) docker engine in userspace. It is far away from beeing as beginner friendly as the "normal" docker version is. I dind't realy feel like spending time on taming that beast - the limitations of it simply suck.
- you could use OPA to add further policies(~restrictions) even for non privileged users that have access to the docker.sock
 
Last edited:
Telos

Telos

914
313
NAS
DS418play, DS213j, DSM 7.0.1-14401
one-eyed-king said:
Granting access to the docker.sock is the only way to control access to the docker engine.
Click to expand...
You have a Docker group on Synology (from the Synology Package Center)? I don't. I have a docker user (which I may have created... I don't remember) and a docker shared folder (by DSM).
 
N

namedNik

41
3
Telos said:
You have a Docker group on Synology (from the Synology Package Center)? I don't. I have a docker user (which I may have created... I don't remember) and a docker shared folder (by DSM).
Click to expand...
Yeap. Ditto here.

You have a Docker group?

I have the same as @Telos as in a docker shared folder - which I use for persistence - and what was a 'docker' user - which at some point I must've forgoten was auto-created - which I have since changed the name of. (Mind, everything still works.)
 
one-eyed-king

one-eyed-king

289
129
Seems I created the group myself and fixed the permissions.

Required Steps:
- create the group "docker" from the ui or cli (sudo synogroup --add docker)
- make it the group of the docker.sock: sudo chown root:docker /var/run/docker.sock
- assign the user to the docker group in the ui or cli (sudo synogroup --member docker {username})
- login into ssh as {username} and try (if you were already logged in before you created the group, logout and relogin)

On linux distros, the docker group is created during the installation of the docker package. The ownership there is root:docker. Seems I just re-created the behavior on my DS.
 
Last edited:
one-eyed-king

one-eyed-king

289
129
So far I only used synogroup --add and synogroup --member, both have been straight forward. No idea if other options are also that straight forward to use. At least for synouser --add I do remember that it was definitly not straigt forward. Back in the the days it took me a fair while to add a user by cli. Pitty, I didn't take any notes about how I solved it.

Update: oh, i missed your point. I don't edit /etc/group manualy. I always use the cli commands to achive the configuration I want.
 
one-eyed-king

one-eyed-king

289
129
I must have created it ages ago and surely had severall updates of DSM and the docker package since... Honestly, it was that long ago that I didn't even remember at first that I created the group myself.

Replacing the owner group for docker.sock is irrelvant for the docker ui, as it will always drive the docker.sock as root.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Similar threads

Trending threads

Top