Question Permissions for User to run Docker?

Currently reading
Question Permissions for User to run Docker?

4,027
1,378
NAS
DS4l8play, DS202j, DS3623xs+, DSM 7.3.3-25847
As I frequently am toying with Docker, I wanted to do that from my User account, however, Docker is not listed among the Applications "Allow/Deny" tab.

What is a simple way to do this? I'd prefer to minimize the use of my administrator login. Is there a security issue I'm overlooking?
 
I am afraid docker is handled as part of dsm and not realy as standalone application. The fun thing is, it uses POST requests to the webapi/entry.cgi endpoint to delegate api commands to the SYNO.Docker.Container module that drives the docker-api using the docker.sock as root. I realy do hope non admin users are not able to see/use the docker ui, as this would be a major security problem. I am afraid you stumbled accros a valid change request towards Synology.

If it's about accessing the docker cli command as non root user, then adding the user to the docker usergroup does the trick (in edit user, tab "User Groups").
 
Docker requires pretty powerful privileges, after all you are creating and killing processes with rights under various user and group IDs. Typically, one needs "sudo" to do anything useful with docker.

You could - and I haven't tried this - add your user account to the /etc/sudoers file, which Synology prefers by adding a file to the /etc/sudoers.d directory.

Oh, I just realized you meant the GUI app. No idea on that one although some spelunking through install scripts or config directories might yield a solution. That said, I'd assert using an admin account is exactly appropriate for this sort of high privilege administration.
 
Last edited:
Docker requires pretty powerful privileges, after all you are creating and killing processes with rights under various user and group IDs. Typically, one needs "sudo" to do anything useful with docker.
The docker engine is always run with root permissions! Granting access to the docker.sock is the only way to control access to the docker engine. This is why adding a user to the docker group is sufficient to allow them to access the docker.sock with the docker cli.

Though, since a year or so this is not entirely true:
- with "rootless docker" it is possible to run a (crippled) docker engine in userspace. It is far away from beeing as beginner friendly as the "normal" docker version is. I dind't realy feel like spending time on taming that beast - the limitations of it simply suck.
- you could use OPA to add further policies(~restrictions) even for non privileged users that have access to the docker.sock
 
You have a Docker group on Synology (from the Synology Package Center)? I don't. I have a docker user (which I may have created... I don't remember) and a docker shared folder (by DSM).

Yeap. Ditto here.

You have a Docker group?

I have the same as @Telos as in a docker shared folder - which I use for persistence - and what was a 'docker' user - which at some point I must've forgoten was auto-created - which I have since changed the name of. (Mind, everything still works.)
 
Last edited:
Seems I created the group myself and fixed the permissions.

Required Steps:
- create the group "docker" from the ui or cli (sudo synogroup --add docker)
- make it the group of the docker.sock: sudo chown root:docker /var/run/docker.sock
- assign the user to the docker group in the ui or cli (sudo synogroup --member docker {username})
- login into ssh as {username} and try (if you were already logged in before you created the group, logout and relogin)

On linux distros, the docker group is created during the installation of the docker package. The ownership there is root:docker. Seems I just re-created the behavior on my DS.
 
So far I only used synogroup --add and synogroup --member, both have been straight forward. No idea if other options are also that straight forward to use. At least for synouser --add I do remember that it was definitly not straigt forward. Back in the the days it took me a fair while to add a user by cli. Pitty, I didn't take any notes about how I solved it.

Update: oh, i missed your point. I don't edit /etc/group manualy. I always use the cli commands to achive the configuration I want.
 
I must have created it ages ago and surely had severall updates of DSM and the docker package since... Honestly, it was that long ago that I didn't even remember at first that I created the group myself.

Replacing the owner group for docker.sock is irrelvant for the docker ui, as it will always drive the docker.sock as root.
 
Last edited:
Seems I created the group myself and fixed the permissions.

Required Steps:
- create the group "docker" from the ui or cli (sudo synogroup --add docker)
- make it the group of the docker.sock: sudo chown root:docker /var/run/docker.sock
- assign the user to the docker group in the ui or cli (sudo synogroup --member docker {username})
- login into ssh as {username} and try (if you were already logged in before you created the group, logout and relogin)

On linux distros, the docker group is created during the installation of the docker package. The ownership there is root:docker. Seems I just re-created the behavior on my DS.

@one-eyed-king ,
I have tried your first step: sudo synogroup --add docker and encounter the following error:

admin@XXXXXXX:~$ sudo synogroup --add docker
Lastest SynoErr=[group_set.c:433]
SYNOLocalAccountGroupSet failed, synoerr=0x1700
admin@XXXXXXX:~$ sudo synogroup --get docker
Lastest SynoErr=[group_unpack.c:44]
SYNOGroupGet failed, synoerr=0x4000
admin@XXXXXXX:~$ sudo synogroup --descget docker
docker:[]
admin@XXXXXXX:~$ sudo synogroup --add docker admin
Lastest SynoErr=[group_set.c:433]
SYNOLocalAccountGroupSet failed, synoerr=0x1700
admin@XXXXXXX:~$ sudo chown root:docker /var/run/docker.sock
admin@XXXXXXX:~$ sudo synogroup --member docker admin
Lastest SynoErr=[group_unpack.c:44]
SYNOGroupGet failed, synoerr=0x4000

Do you know any reason why?
-- post merged: --

@one-eyed-king ,
I have tried your first step: sudo synogroup --add docker and encounter the following error:

admin@XXXXXXX:~$ sudo synogroup --add docker
Lastest SynoErr=[group_set.c:433]
SYNOLocalAccountGroupSet failed, synoerr=0x1700
admin@XXXXXXX:~$ sudo synogroup --get docker
Lastest SynoErr=[group_unpack.c:44]
SYNOGroupGet failed, synoerr=0x4000
admin@XXXXXXX:~$ sudo synogroup --descget docker
docker:[]
admin@XXXXXXX:~$ sudo synogroup --add docker admin
Lastest SynoErr=[group_set.c:433]
SYNOLocalAccountGroupSet failed, synoerr=0x1700
admin@XXXXXXX:~$ sudo chown root:docker /var/run/docker.sock
admin@XXXXXXX:~$ sudo synogroup --member docker admin
Lastest SynoErr=[group_unpack.c:44]
SYNOGroupGet failed, synoerr=0x4000

Do you know any reason why?
I have restarted the NAS and it all worked now.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Solved
Brilliant, thanks again (y) 1638624696 It's working fine now, thanks very much for your help (y)
Replies
4
Views
3,174
Yes I did... just a typo in the post Not sure what you are looking for... the container itself doesnt...
Replies
17
Views
24,772
OK... That seemed to work when I changed the group from user to administrators (while using an...
Replies
6
Views
10,526
  • Question
I will do. I had not though about that user having full access to the entire NAS. :confused:
Replies
2
Views
1,159
Yes, I had a glance at that earlier. It says "One of the main reasons RP is useful is the fact that it...
Replies
7
Views
2,470
I have no idea what you are doing, but I just tested it based on the instructions of the guide you linked...
Replies
11
Views
2,588

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top