node-red-docker icon indicating copy to clipboard operation
node-red-docker copied to clipboard

Published 20 hours ago verified publisher icon node-red

Add node-red user to dailout group

Open RaymondMouthaan opened this issue 5 years ago • 13 comments

Add node-red user to dailout group by default instead of node-red group.

From Debian Wiki:

dialout: Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc.

In current images, node-red user has it's own group node-red, which has no permissions to serial. To gain permission to serial, one needs to add --user node-red:dailout to the docker run command or equivalent in docker compose file.

We might want to add node-red user to the dailout group, so that above is no longer required and node-red has permission to serial by default.

However, current users might get permission issues with the persistent dir, because of current group.

Do all architectures have dailout group available? [ √ ] amd64/alpine [ √ ] arm32v6/alpine [ √ ] arm32v7/alpine [ √ ] arm64v8/alpine [ √ ] i386/alpine [ √ ] s390x/alpine

Proposal: create a feature branch for this change and do some tests.

RaymondMouthaan avatar Oct 17 '19 06:10 RaymondMouthaan

yes - create a dialout branch, etc

dceejay avatar Oct 17 '19 17:10 dceejay

Test images & Manifest lists are available here

RaymondMouthaan avatar Oct 18 '19 05:10 RaymondMouthaan

There is already an existing option with docker or docker-compose 2.0 to add a user to a group, see https://docs.docker.com/engine/reference/run/#additional-groups

tms0 avatar Oct 19 '19 13:10 tms0

Yes - very useful. The question is should we do it by default ? Or should we just document alternatives (like this)

dceejay avatar Oct 19 '19 19:10 dceejay

Can you really do it by default ? I'm not a docker expert, but how can you be sure that the dialout gid from the image will be the same than the host one ?

tms0 avatar Oct 20 '19 14:10 tms0

We can not be sure that the dialout gid on the host is the same as in the container. I've checked on Ubuntu installed on both Raspberry PI and Mac-Mini and they match the gid 20 with the one in the container.

RaymondMouthaan avatar Oct 20 '19 17:10 RaymondMouthaan

so the suggestion to do it via command line would be safer in that it would match by name ?

dceejay avatar Oct 20 '19 21:10 dceejay

In case of node-red:node-red one always needs to supply node-red:dialout via command or docker-compose.yml if he/she wants to use serial. In case of node-red:dialout it works out of the box, unless there is a mismatch between dialout groupid on the host and container. Chances of a mismatch are rather small, since both Ubuntu and Alpine have dialout groupid set to 20. I assume on Raspbian (which is like Ubuntu based on Debian) the gid is the same, but maybe someone can verify this?

grep dialout /etc/group

So changing to group dialog might sound like a good idea ..

However when current users have set there persistence dir to 1000:1000 (most users have, I guess), changing the group node-red to dialout gives a Error: EACCES: permission denied.

Which basically means that all users will be affected by the change and need to chown the persistence dir:

chown -R 1000:20 <path_to_persistence_dir>

So in my opinion we leave as is (node-red:node-red) and for those that want to use serial, they just use --user node-red:dialog option or equivalent.

Or we add node-red users to both node-red group and dialout group, but this requires new dev images and tests :-)

New images are available at nodered/node-red-dev and they are tagged by *dialout.1* in these images node-red user is member of both node-red and dialout group. This works for current users with persistence dir set to 1000:1000.

@tms0 can you verify if serial works with these images?

RaymondMouthaan avatar Oct 21 '19 06:10 RaymondMouthaan

In my opinion, I prefer to let users do the mapping themself between things from the OS and things from the container.

But adding dialout as a secondary group seems acceptable to me, I will give it a try @RaymondMouthaan .

tms0 avatar Oct 21 '19 08:10 tms0

I have a solution in mind, but that requires significant changes to the node-red container. I've not yet got the time to create a experimental version to do so, but if it's ready I'll let you know 😌

RaymondMouthaan avatar Oct 21 '19 09:10 RaymondMouthaan

FYI On my intel-nuc (Intel(R) Client Systems NUC6CAYS) running CentOS Linux 8 the dialout group has id 18 on the host and not 20 !

[root@nuc-jan ~]# grep dialout /etc/group
dialout:x:18:lirc
[root@nuc-jan ~]# 

[root@nuc-jan ~]# uname -a
Linux nuc-jan.borsbeek 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@nuc-jan ~]#

Note that I am not requesting this feature. Above information is just provided for consideration when making any changes.

janvda avatar Aug 20 '20 08:08 janvda

Just in case helpful for others...

They've merged the v2/v3 compose specs which brings back the services element group_add. This was in v2 and removed in v3 releases.

So if you install docker-compose 1.27.0+ and are running Docker Engine 19.03.0+

  node-red:
    devices:
      - /dev/whatever
    group_add:
      - dialout

instead of user: "node-red:dialout"

and node-red user will be in both groups:

bash-5.0$ whoami
node-red
bash-5.0$ groups
node-red dialout

emes avatar Apr 30 '21 19:04 emes

Nice! Thanks for sharing @emes!

kpm-at-hfi avatar Apr 30 '21 19:04 kpm-at-hfi