Docker Setup & Pattern¶
To make our docker configuration simple, clean and secure we are going to do the following:
- Install docker using the
- Create a folder structure with a category pattern
- Create dedicated users for docker containers
- Create a share dedicated for
- Use the
docker-composefunctionality introduced in DSM 7.2
I'll assume you know how to to do basic configuration in Synology DSM, such as creating shares, installing packages, etc.
M.2 SSD Array¶
I recommend you to install docker on a dedicated M.2 SSD, even if your device does not officially support it. You can do this at a later date and keep the data when moving the package over to the M.2 SSD volume.
Docker on M.2 benefits includes lower latency when accessing applications, less random access on spinning disk array, less wakeups on HDDs if you hibernate.
Container Manager package from the Package Center.
This will automatically create the share
docker on the Volume you selected (or set as default) in Package Center.
docker share will contain docker volumes, which will be used if you define a named volume. Useful when you want to persist data in a centralized location on the host, such as taking backup of all docker volumes.
Normal users will not need access to this share, only services which will make backups from docker volumes.
We need a share for storing
docker-compose stacks, which contains
docker-compose.yml definitions, optional
.env files and possibly bind mounts if we want to keep configuration close to the stack.
docker-composeprefixes the current folder to the docker containers, so we need a bottom level folder with the name of the stack. Else
docker pswill become ugly.
stack share, grant your standard user read/write permissions for the share. Add the share to your local machine, open up the share in an IDE.
I recommend the following folder pattern:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
This will seperate a set of stacks under a category, which scales well when the number of stacks grow.
Starting a stack¶
Create the following folders on the
1 2 3 4
docker-compose.yml with the following content:
Watchtower is a application for auto-upgrading all docker container images using the Docker API.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
We are now ready to start the
docker-compose.yml stack, and you got two options.
- SSH into the NAS using your admin user
docker-compose up -d
There are two limitations with GUI. You cannot create folders when selecting location and no support for
.envfiles for using variables inside
By default, Docker containers run with root access to the host system. We can make it more secure by defining linux users with standard access that the different containers will use.
Setting user id is ad-hoc between the host and the container.
We can set define which user
id and group
id to use inside the container, say
1000:1000, which will not have access for files on the host as the user
1000 does not exist on the host, nor has the permission for accessing the files.
Setting UID/GID is either done in the docker run command, during docker image build, or as a pre-step script in the entrypoint using environment variables.
So we basically need to:
- Create a standard user in DSM
- Optional: grant access to shares for the standard user to use
- SSH into the nas with admin user
id -u USERNAMEand
id -g USERNAMEto get UID and GID values
- Set the UID and GID on the container configuration