Updated Docker package 18.09.0-0505 available

Currently reading
Updated Docker package 18.09.0-0505 available

I'm having docker 18.09.0-0506 running on my DS918+, but the ingress network is not working too.

When creating services in multiple node using ingress network, the services in different node can not reach out each other. After some research, I figure out that docker swarm didn't listen to 4789 UDP port, which is used for the ingress network. That's quite a bad news.
 
4789 is required for cross machine overlay communication. I am afraid, it will only work if the DS is an isolated stand alone Swarm manager node. Swarm services aren't usable though, as the bugfix for missing environment variables was only applied to docker-compose deployment, but does not cover swarm stack/service deployment. Swarm is effecitcly broken because Synology made a half assed fix for the problem. And it seams you detected another one...
 
Last edited:
The remote api is not enabled by default. If it is enabled and accessible form the internet, it could be used to manage the docker host and create containers that run the exploit and replace the runc binary - the runtime for container itself - with a malicious one.

Unless you do not enable the remote api (which can be only done from the shell) or allowed shell access to untrusted users, you are safe.

Even if the remote api is enabled, it is ment to be used with mutual TLS, where the api server and the api client require the TLS certificates of the other parties to be known and trusted, the risk could be mitigated.

Though, if someone is brave enough to expose an unprotected remote api to the internet.. be sure someone will expose it ;) Even then: we run docker 18.09.6 with runc 1.0.0-rc8 under the hood. As far as I can tell, we are not affected anyway.
 
So any luck with the overlay network? I did a lot of searching and see some old stuff from 2017 about some kernel module not being available in DSM at the time, but then it was supposed to have been added. Not finding much solid, current information, but I've got a 3-node swarm up, and I have perfect connectivity between two of the nodes via the overlay network, but the DS918+ is just a black hole ... and I think I REALLY need a working overlay network to get this MariaDB Galera cluster working that I'm trying to get setup :-/
 
Swarm mode always was and still is broken. On DS918+ swarm services are able to communicate with each other using an overlay network, I did some tests back in the first days of the current release. The support for overlay networks depends on the DS model. It is safe to say that not every model is able to use overlay networks.

Docker swarm services do create containers, but drop all environment declarations, which renders them effectifly useless. The future of swarm is unsure:
https://jaxenter.com/docker-mirantis-164303.html said:
Mirantis currently plans to support Swarm for at least two years, “depending on customer input into the roadmap“. Swarm users will eventually transition to Kubernetes, as Mirantis formulates a plan for an easy transition.

Though, I have no idea whether the impact only affects Docker Enterprise or affects Docker in general.
 
Mine is a DS918+ and my manually created overlay network is not working :-( . Someone figured out a fix to the environmental variables issue by upgrading to 19.03.5 over on the official forum - Synology Community ... I think I'm going to give that a go this evening to see if it helps with my overlay network issues at all.

Even if they do abandon Swarm, we're a lot closer to having it working on these boxes than trying to get Kub going from scratch I imagine.
 
Instead of bending the installed docker package and basicly replacing all docker related binaries, you might want to consider to run a linux os in vmm and install docker there. Ultimately it will give you less headaches. K8s installation is not possible either due to missing kernel modules and some required commands. Been there, tried that and failed misserably.
 
If you mean a VM on the Syno, that's a lot of overhead isn't it? If you mean elsewhere, that wouldn't really provide the 24/7 3rd physical node I'm looking for to balance my Redis and Docker quorums unfortunately. I'm not just trying to get docker working to play here, I've got home automation services and such that I'm trying to maximize uptime on by having them float between all the 24/7 hardware in my house (7th NUC, 6th gen NAS and RPi) so if one thing dies, things keep working.
 
It is compared to running docker on the DS directly. Though, running a dedicated vm is definitly the cleaner solution. I would head for a minimal ubuntu installation to reduce the overhead us much as possible.

Or add another RPi to the mix :)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Normally I would not be bothered by a docker update, since it tends to be a small jump, but this one is...
Replies
24
Views
7,587
I can’t find any option to restore just the settings. 1710356648 Phew, managed to fix it. Within the...
Replies
4
Views
394
Good to hear. Deluge has not been updated for almost two years now as an app, nevertheless. But it gives...
Replies
12
Views
962
  • Question
Open an issue on that GitHub page. The developers will be glad to assist. OP has posted two threads on...
Replies
5
Views
965
I'm happy with email notifications but in v0.3.3 of dockcheck the author added apprise notifications...
Replies
4
Views
1,043
I am also trying to setup a Z-wave USB dongle and am getting stuck after following the same steps as...
Replies
1
Views
1,033
How did you create the Portainer container in first place? As in exact docker run commands or in case...
Replies
7
Views
1,241

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top