Skip to content

Step 2: Setting up a restricted Docker user and obtaining IDs

UpdateDate
First version of the setup01/08/2021
Added a note regarding the /data share
Cleaned up the guide with LanguageTool
General formatting updates
14/03/2022

In older versions of my guides and in practice I was using my main admin users details for all my Docker containers. This is not great for security, so it is good practice to set up a unique user with more limited share and application access for your containers. We won’t ever be using this user to log into DSM it is purely for Docker.

Creating a User

Navigate into the DSM control panel and open up ‘User’ then click Create.

You can call the user whatever you want, I just kept mine simple and created one called ‘dockerlimited’

It’s also a good idea to generate a very strong random password for the user, while it will be a very limited account you don’t want to give it an easy to guess password. You will never need this password for what we are doing.

Next we are going to add this new user to the ‘users’ group as we don’t want it having any sort of admin access.

Next we are going to allow this user ‘Read/Write’ access to the data* and docker folders, if you have any other folders it should default to ‘No Access’.

*Please note if you are not following one of the media setup guides you will not have the /data share so don’t worry if it is missing.

Nothing to change on the User quota settings just click ‘Next’

Our user will not require any application permissions so check the ‘Deny’ button at the top of the screen.

Again we don’t need to set any speed limits for this user so click on ‘Next’

The final screen will just confirm your settings make sure the correct shares are in the ‘Writeable’ list, click on ‘Done’ and your user will be created.


Obtaining the new users PUID and PGID

Now we have created the new user for your containers we need to obtain the PUID (Personal User ID) and PGID (Personal Group ID). These are used to pass file permissions through to our containers.

You will need to SSH into your Diskstation using ‘PuTTY’ or an equivalent program depending on if you are a Windows, Linux, or Mac user.

Go back into the Control Panel again and enable SSH

Open up ‘PuTTY’, the only thing you need to enter is the IP address of your NAS and select the SSH radio button.

SSH into your Synology to find out your ID’s

Click on ‘Open’, you will get a prompt asking if you trust the key, if this is the first time you have used SSH, just press OK or accept.

Enter the login information for your main Synology user account, you will not be able to see the password as you type it.

Once logged in type the below replacing ‘dockerlimited’ with the name of the user you created if you changed it.

id dockerlimited

This will show the UID (aka PUID) and GID (aka PGID) as below

uid=1028(dockerlimited) gid=100(users) groups=100(users)

You have now successfully set up your limited access user and obtained its IDs for use in Docker. You can now go back to the guide you were following.



Throw me some bits or buy me a coffee?

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running the site, you can even buy me a coffee 🙂

Buy Me A Coffee
Doge / Ethereum / Bitcoin

23 Comments

  1. Dmitri_Durst Dmitri_Durst

    Thank you so much for this guide. I used it to successfully create a number of containers that have been working well for months.

    However, I have one container that was working up until about a week ago. Now constantly restarts and fails to stay loaded. Based on the log file in docker, it states “addgroup: gid in use”. But I reconfirmed that the PGID hasn’t changed, neither has the PUID, and all the other containers still have the same settings. Any ideas on what could be wrong?

    • Dr_Frankenstein Dr_Frankenstein

      Hey thanks. Which docker image are you using?

      • Dmitri_Durst Dmitri_Durst

        The image is for pymedusa/medusa:master , which is similar in utility to the Sonarr image that you have. Since the image wasn’t exactly one of the ones you had listed, I figured I would post the question in the ‘general user configuration’ section. The other images I’m using based on your guide (watchtower, deluge, SABnzbd) all work as intended, its just this one, even though its configured in much the same manner.

          • Dmitri_Durst Dmitri_Durst

            Thanks for this. I’m guessing there’s something particularly useful or pre-configured about the linuxserver images that just “plays nice” with the configuration outlines you specify in the guide?

          • Dr_Frankenstein Dr_Frankenstein

            Yes, the will follow a similar pattern of setup, such as allowing the use of the PGID etc. The only thing we deviate from is the mount points of data, you will essentially mirror the Sonarr guide but using Medusa. Then it’s webui is available on port 8081

  2. hello, in my synology I do not have the folder “data” what should I do?

  3. Keegan Lanier Keegan Lanier

    I’ve validated user id and password, but for some reason putty gives me an access denied status. Anyone ever see this for any reason other than a wrong user id or password?

    • Dr_Frankenstein Dr_Frankenstein

      Are you copy and pasting the password into putty? You paste by right clicking on the window. It’s really easy to get it wrong as you can’t see what’s being entered at all. Also double check you are connecting to port 22 and not telnet.

  4. Bryan Bryan

    Curious made the user exactly like you said and in the summary window it shows write access but when I click on the user afterwards to check permission I see in big red letters read only for docker…. did I do something wrong?

    • Dr_Frankenstein Dr_Frankenstein

      Hey, bit hard to say, it should look the same, might be worth deleting the user and doing it again

      • Bryan Bryan

        lol. I think I was looking at permissions of the docker folder as pertaining to the dockerlimited user. Or it changed since I looked last. looking now it is showing read/write which gives me the courage to keep going . If you only knew how much frustration I have dealt with using sabnzbd,sonarr,radarr on Syno community lately and then trying different docker tutorials that didn’t actually lead me to where I wanted to be. Nervous every time things go weird. Just want this all working again…. Really glad I found your site. If I get this up and running I’ll be buying you several coffees!

  5. captainkanpai captainkanpai

    Hello! I created the new user like you explained, but don’t see anything happening with it in the setups of all the containers. What does this new user do exactly? Do I have to sign in with this user to install all the docker containers on that users home?

    Thanks, cheers.

    • Dr_Frankenstein Dr_Frankenstein

      Hey, this user is setup purely for the containers to use, you will never need to log in with it. From a security standpoint it is better for the containers to have restricted permissions to folders on the host, so by setting this user up and then using its id’s on the containers have limited access, also it gives us the benefit of having a common set of permissions across the required folders.

      • captainkanpai captainkanpai

        Ahh, I forgot about the PUID and PGID. Is it a problem that all my users have the same id’s?

        Kinda a noob here, and want to be sure it’s all safe and secure 🙂

        Also, thank you for these setup manuals!!

        • Dr_Frankenstein Dr_Frankenstein

          If you just use the ID from the user you setup in this guide you should be good

      • Christopher Christopher

        I should have read this first, and maybe it is worth adding the info up there.
        I spent half an hour in configuration, because “clearly i got something wrong, as the Docker app does not show in my restricted user!!!” lol

        • Dr_Frankenstein Dr_Frankenstein

          I will add something in the start.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

drfrankenstein.co.uk – writing Synology Docker Guides since 2016 – Join My Discord!