Noob Volume Rights question

Discussion room for Docker, a lightweight virtualization application that gives you the ability to run thousands of containers created by developers from all over the world on DSM
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu



2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
snowatom
Apprentice
Apprentice
Posts: 98
Joined: Sat Dec 28, 2013 12:02 pm

Noob Volume Rights question

Unread post by snowatom » Fri Nov 10, 2017 11:55 pm

Hi

I have installed [linuxserver/sickrage] in docker.

But the program needs a folder with rights to write files. When docker is installed it creates a shared folder [/docker] but for some reason The Sickrage only has read access.

In DSM I can right click af folder , and give RW to everyone, and it works, but is that really the way to do it?

I would imagine that the Docker app created share would have the needed rights by default.

What am I doing wrong ?

/snowatom
Synology DS918+ (2x8GB Ram) - SHR (2x8TB + 2x4TB) WD RED - with 2x128GB SSD Cache RAID1

sincarne
Virtuoso
Virtuoso
Posts: 1313
Joined: Wed Feb 15, 2017 9:57 pm

Re: Noob Volume Rights question

Unread post by sincarne » Sat Nov 11, 2017 10:50 am

you need to map volume in docker application. the docker hub page tell you what you need to do.

mightbetrue
Versed
Versed
Posts: 221
Joined: Sun Oct 02, 2016 9:41 am

Re: Noob Volume Rights question

Unread post by mightbetrue » Sat Nov 11, 2017 10:52 am

.. and make sure to use the environment variables to map the folders owners uid:gid into the container.

snowatom
Apprentice
Apprentice
Posts: 98
Joined: Sat Dec 28, 2013 12:02 pm

Re: Noob Volume Rights question

Unread post by snowatom » Sat Nov 11, 2017 11:13 am

OK, thank you, learning quickly now..

Few more questions though.

I've learned that it is much easyier to install via TS, and this is my command:

sudo docker create --name=Sickrage -v /volume1/docker/Sickrage/config:/config -v /volume1/docker/Sickrage/downloads:/downloads -v /volume1/docker/Sickrage/tv:/tv -e PGID=101 -e PUID=1025 -e TZ=Europe/Copenhagen -p 4000:8081 linuxserver/sickrage

And it works great, however when the command is run, this is found in my variables:

PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PS1 $(whoami)@$(hostname):$(pwd)$
HOME /root
TERM xterm
PYTHONIOENCODING UTF-8
PGID 101
PUID 1025
TZ Europe/Copenhagen
PGID 101
PUID 1025
TZ Europe/Copenhagen

Why are there two of PGID, PUID & TZ ?
What is PATH, and why is it there ?
What is PS1 ?
Why is HOME /root, is that OK ?
And what is TERM ?

My concern is that the container somehow can access files on my DSM, that I don't want it to.

thanx
/snowatom
Synology DS918+ (2x8GB Ram) - SHR (2x8TB + 2x4TB) WD RED - with 2x128GB SSD Cache RAID1

mightbetrue
Versed
Versed
Posts: 221
Joined: Sun Oct 02, 2016 9:41 am

Re: Noob Volume Rights question

Unread post by mightbetrue » Sat Nov 11, 2017 11:56 am

First of all: you docker command line looks fine :)
Actualy it helps a lot to store the command somewhere, as you will need it for an image update (if you don't deligate the update action to watchtower)

The ENV variables are decalred with a default value inside the Dockerfile during image build.Some of those variables are not ment to be overriden, some of them are ;)
The Dockerhub description should EXACTLY describe which ones are ment to be changed.

The doubled parameters actualy are not a problem. They exist in my containers as well... i always thought that watchtower doubled them.
Nevertheless they do no harm.

snowatom
Apprentice
Apprentice
Posts: 98
Joined: Sat Dec 28, 2013 12:02 pm

Re: Noob Volume Rights question

Unread post by snowatom » Sat Nov 11, 2017 12:52 pm

OK, but I'm a bit worried by this one:

PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Looks like it gives access directly to DSM folders, which I don't want it to.

/snowatom
Synology DS918+ (2x8GB Ram) - SHR (2x8TB + 2x4TB) WD RED - with 2x128GB SSD Cache RAID1

mightbetrue
Versed
Versed
Posts: 221
Joined: Sun Oct 02, 2016 9:41 am

Re: Noob Volume Rights question

Unread post by mightbetrue » Sat Nov 11, 2017 1:41 pm

What made you thing the PATH environemt variable would permit to access files on your host?
Those are "just" environment variables inside the contained os, NOT on your host os.

Whatever you map from a path from host to a path inside the container is actualy accessible for the container (asumed permissions don't prevent it).

snowatom
Apprentice
Apprentice
Posts: 98
Joined: Sat Dec 28, 2013 12:02 pm

Re: Noob Volume Rights question

Unread post by snowatom » Sat Nov 11, 2017 2:52 pm

Another Noob question

Trying to run commands inside docker MariaDB container.

For fun I'm trying to change the root password given at install of container.

sudo docker exec MariaDB SET PASSWORD FOR 'root'@'localhost' = PASSWORD('123456');

I cant find any info on, how to perform commands inside a Docker Container, I would asume it would be:
sudo docker exec MariaDB [followed by the same command as if not in a Docker Container]

Can you teach me some more ?

/snowatom
Synology DS918+ (2x8GB Ram) - SHR (2x8TB + 2x4TB) WD RED - with 2x128GB SSD Cache RAID1

mightbetrue
Versed
Versed
Posts: 221
Joined: Sun Oct 02, 2016 9:41 am

Re: Noob Volume Rights question

Unread post by mightbetrue » Sat Nov 11, 2017 3:35 pm

docker exec -ti {container id or name} {cmd}

replace {cmd} with the command you would type into a terminal if mariadb would run localy.

Actually it makes more fun to help people that learn the basics and have specific questions about how they solve things by their own.
I will leave it for someone else to respond to your "please teach me" post. I am not going to do that. sorry.

snowatom
Apprentice
Apprentice
Posts: 98
Joined: Sat Dec 28, 2013 12:02 pm

Re: Noob Volume Rights question

Unread post by snowatom » Sat Nov 11, 2017 4:07 pm

The teach me more was specific ;o) - I want to know how to change root password on MariaDB

Found this guide:
https://www.digitalocean.com/community/ ... t-password

But when I try, to run the command with the below (with and without sudo) this happens:

admin@VirtualDSM:/$ sudo docker exec -ti MariaDB systemctl stop mariadb
Failed to get D-Bus connection: Unknown error -1

admin@VirtualDSM:/$ sudo docker exec -ti MariaDB sudo systemctl stop mariadb

rpc error: code = 2 desc = "oci runtime error: exec failed: exec: \"sudo\": executable file not found in $PATH"admin@VirtualDSM:/$

This might be simple for anyone else, but I need to follow a guide, and have no idea what to do when it does not work.

/snowatom
Synology DS918+ (2x8GB Ram) - SHR (2x8TB + 2x4TB) WD RED - with 2x128GB SSD Cache RAID1

mightbetrue
Versed
Versed
Posts: 221
Joined: Sun Oct 02, 2016 9:41 am

Re: Noob Volume Rights question

Unread post by mightbetrue » Sat Nov 11, 2017 5:07 pm

Docker images usualy contain an as minimal os as possible. The systemd package is most likely not installed in the image, thus not available in the container.
Your realy need to figure out the name of the mariadb client tool and hope that it was packaged inside the container.

Other than that: usualy you docker containers solve things like user/password/default database with environment variables that set the values during first start...

Also: "sudo docker" elevates permissions on the host. If you want it to happen inside the container sudo must be part of {cmd} (which is uselss anyway since either you are already root there OR a restricted user. In the later scenario tools like sudo are usually removed as a security messure)

see how it is ment to be used for linuxserver/mariadb

snowatom
Apprentice
Apprentice
Posts: 98
Joined: Sat Dec 28, 2013 12:02 pm

Re: Noob Volume Rights question

Unread post by snowatom » Sat Nov 11, 2017 7:44 pm

Thank you, youve been most helpful. But gonna bug you one last time.

When creating Sickrage I use sudo, otherwise I get this error:
Cannot connect to the Docker daemon. Is the docker daemon running on this host?

sudo docker create --name=Sickrage -v /volume1/docker/Sickrage/config:/config -v /volume1/docker/Sickrage/downloads:/downloads -v /volume1/docker/Sickrage/tv:/tv -e PGID=101 -e PUID=1025 -e TZ=Europe/Copenhagen -p 4000:8081 linuxserver/sickrage

Does this mean that the container has elevated permissions on the host ? - or only for installation ?

/snowatom
Synology DS918+ (2x8GB Ram) - SHR (2x8TB + 2x4TB) WD RED - with 2x128GB SSD Cache RAID1

mightbetrue
Versed
Versed
Posts: 221
Joined: Sun Oct 02, 2016 9:41 am

Re: Noob Volume Rights question

Unread post by mightbetrue » Sat Nov 11, 2017 11:57 pm

snowatom wrote:Thank you, youve been most helpful. But gonna bug you one last time.

When creating Sickrage I use sudo, otherwise I get this error:
Cannot connect to the Docker daemon. Is the docker daemon running on this host?

sudo docker create --name=Sickrage -v /volume1/docker/Sickrage/config:/config -v /volume1/docker/Sickrage/downloads:/downloads -v /volume1/docker/Sickrage/tv:/tv -e PGID=101 -e PUID=1025 -e TZ=Europe/Copenhagen -p 4000:8081 linuxserver/sickrage

Does this mean that the container has elevated permissions on the host ? - or only for installation ?

/snowatom
Only root has access to the docker socket on synology. Every docker container runs by default with root permissions. Better images use a restricted user inside the container to execute the application process(es). All linuxserver.io images do! A lot of image don't implement a mechanism to execute the main processes with a restricted user. It should be mentioned in the description on the docker hub page, though. Stay away from images without a clear description and/or without a dockerfile posted on dockerhub.

snowatom
Apprentice
Apprentice
Posts: 98
Joined: Sat Dec 28, 2013 12:02 pm

Re: Noob Volume Rights question

Unread post by snowatom » Sun Nov 12, 2017 8:14 am

OK thank you

I`ll stay away from Docker for now, I`ll need a lot more knowledge on this.

I figured I could play around, like with virtual servers, without any risc of damaging my DSM OS. If the option “execute container using high privilege” was not checked. But apprently it`s not that simple.

I have a very limited knowledge on Linux, and thought this to be a perfect way to learn a
bit more, without any worrying.

/snowatom
Synology DS918+ (2x8GB Ram) - SHR (2x8TB + 2x4TB) WD RED - with 2x128GB SSD Cache RAID1

mightbetrue
Versed
Versed
Posts: 221
Joined: Sun Oct 02, 2016 9:41 am

Re: Noob Volume Rights question

Unread post by mightbetrue » Sun Nov 12, 2017 12:40 pm

You are aware that docker relies on kernel extensions to seperate instances from the host os and each dockre container?
If you stick with linuxserver images and use the usermapping, there are not much mistakes to make..

Still, Docker is not a VM!

You should at least read and understand the the basic concepts before using it.
If you don't, it can result in unstatisfying experience. People tend to blame docker or Synology for that experiences, even though its "PEBKAC" centered.

Post Reply

Return to “Docker”